000038629 - How to show the Top Queries running on RSA Netwitness Platform's Concentrator or Broker

Document created by RSA Customer Support Employee on Mar 26, 2020
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000038629
Applies ToRSA Product Set: NetWitness Logs & Network
RSA Product/Service Type: Concentrator, Broker
RSA Version/Condition: 11.x
IssueAs you run queries on the Concentrator and/or Broker (through the UI "Investigate tab" or queries that are run by the Reporting Engine), slowness may occur. As the complexity of the query increases, it may cause the query to run over longer periods of time. This can cause the query to reserve and uses larger amounts of resources (Memory).

In this case, you must identify the top queries consuming resources for fine-tuning purposes.
 
Resolution

To identify top queries running on a Concentrator or Broker, review the following. 

Run the below command from the Concentrator's or Broker's  SSH session. It will show from the Nwconsole the following information based on the number of top queries being requested: Query Syntax, Time to Run, and the % of Memory Utilized.

Command:
NwConsole -c topquery input=/var/log/messages top=<top number of queries>

Example:
NwConsole -c topquery input=/var/log/messages top=5




Example of Command Output
[root@lconcentrator ~]# NwConsole -c topquery input=/var/log/messages top=5
RSA NetWitness NextGen Console 11.4.0.0 Copyright 2001-2020, RSA Security Inc. 
All Rights Reserved.  

>topquery input=/var/log/messages top=5
# Mar  6 11:33:56 lconcentrator NwConcentrator[2273]: [SDK-Values] [audit] User admin (session 23888, 192.168.2.101:36886) has finished values (channel 25217, queued 00:00:00, execute 00:00:24): fieldName=category id1=1 id2=150581910 threshold=100000 size=20 flags=sessions,sort-total,order-descending where="time=\"2020-03-03 09:28:00\"-\"2020-03-03 09:32:59\"" queryPriority=20
/sdk values fieldName=category id1=1 id2=150581910 threshold=100000 size=20 flags=sessions,sort-total,order-descending where="time=\"2020-03-03 09:28:00\"-\"2020-03-03 09:32:59\"" queryPriority=20  

# Mar  6 11:33:56 lconcentrator NwConcentrator[2273]: [SDK-Values] [audit] User admin (session 23888, 192.168.2.101:36886) has finished values (channel 25230, queued 00:00:00, execute 00:00:23): fieldName=checksum id1=1 id2=150581910 threshold=100000 size=20 flags=sessions,sort-total,order-descending where="time=\"2020-03-03 09:28:00\"-\"2020-03-03 09:32:59\"" queryPriority=20
/sdk values fieldName=checksum id1=1 id2=150581910 threshold=100000 size=20 flags=sessions,sort-total,order-descending where="time=\"2020-03-03 09:28:00\"-\"2020-03-03 09:32:59\"" queryPriority=20  

# Mar  6 11:34:31 lconcentrator NwConcentrator[2273]: [SDK-Values] [audit] User admin (session 23888, 192.168.2.101:36886) has finished values (channel 26437, queued 00:00:00, execute 00:00:10): fieldName=event.time id1=1 id2=150581910 threshold=100000 size=20 flags=sessions,sort-total,order-descending where="time=\"2020-03-03 09:28:00\"-\"2020-03-03 09:32:59\"" queryPriority=20
/sdk values fieldName=event.time id1=1 id2=150581910 threshold=100000 size=20 flags=sessions,sort-total,order-descending where="time=\"2020-03-03 09:28:00\"-\"2020-03-03 09:32:59\"" queryPriority=20  

# Mar  6 11:34:31 lconcentrator NwConcentrator[2273]: [SDK-Values] [audit] User admin (session 23888, 192.168.2.101:36886) has finished values (channel 26489, queued 00:00:00, execute 00:00:09): fieldName=tld id1=1 id2=150581910 threshold=100000 size=20 flags=sessions,sort-total,order-descending where="time=\"2020-03-03 09:28:00\"-\"2020-03-03 09:32:59\"" queryPriority=20
/sdk values fieldName=tld id1=1 id2=150581910 threshold=100000 size=20 flags=sessions,sort-total,order-descending where="time=\"2020-03-03 09:28:00\"-\"2020-03-03 09:32:59\"" queryPriority=20  

# Mar  6 11:34:07 lconcentrator NwConcentrator[2273]: [SDK-Values] [audit] User admin (session 23888, 192.168.2.101:36886) has finished values (channel 25353, queued 00:00:00, execute 00:00:08): fieldName=event.desc id1=1 id2=150581910 threshold=100000 size=20 flags=sessions,sort-total,order-descending where="time=\"2020-03-03 09:28:00\"-\"2020-03-03 09:32:59\"" queryPriority=20
/sdk values fieldName=event.desc id1=1 id2=150581910 threshold=100000 size=20 flags=sessions,sort-total,order-descending where="time=\"2020-03-03 09:28:00\"-\"2020-03-03 09:32:59\"" queryPriority=20    

553 queries were analyzed, from '2020-Mar-04 07:50:51' to '2020-Mar-11 07:50:51'
548 (99.1%) queries executed <= 5 seconds
3 (0.5%) queries executed <= 10 seconds
0 (0.0%) queries executed <= 20 seconds
2 (0.4%) queries executed <= 30 seconds
0 (0.0%) queries executed <= 60 seconds
0 (0.0%) queries executed <= 120 seconds
0 (0.0%) queries executed <= 300 seconds
0 (0.0%) queries executed <= 600 seconds
0 (0.0%) queries executed <= 1200 seconds
0 (0.0%) queries executed <= 3600 seconds
0 (0.0%) queries executed > 3600 seconds  

Top memory usage: channel 23689 max memory used: 3.549994 MB
channel 23675 max memory used: 2.008521 MB
channel 23702 max memory used: 2.001143 MB
channel 30312 max memory used: 94.90625 KB
channel 30864 max memory used: 94.90625 KB

NotesThe Top option in the command can be changed from “5”  to any number to show that the number of top queries using the concentrator/broker's memory and may be impacting the data source performance.

Attachments

    Outcomes