Skip navigation
All Places > Products > RSA NetWitness Platform > RSA NetWitness Platform Online Documentation > Documents
Log in to create and rate content, and to follow, bookmark, and share content with other members.

Investigate: Drill into Metadata in the Events View (Beta)

Document created by RSA Information Design and Development Employee on Sep 8, 2020Last modified by RSA Information Design and Development Employee on Sep 8, 2020
Version 2Show Document
  • View in full screen mode
 

Note: This section applies to Version 11.5 and later. The feature is a beta feature that is enabled by default, and can be disabled by the system administrator as described in the System Security and User Management Guide.

When working in the Events view, the focus of an investigation is the smallest possible set of relevant events in sequential order. You can reduce the number of visible events loaded in the Events view using query profiles, column groups, meta groups, and queries. However, it is more efficient to limit the data set using the metadata indexed on the Concentrator before looking at the actual events stored on the Decoder or Log Decoder.

In Version 11.4.x and earlier, it is best to start by looking at the meta keys and meta values indexed on the Concentrator and drill into the metadata in the Navigate view to find a relevant set of events, with each drill or query further limiting the data set. When you have a meaningful data set, or drill point, you can examine the details of the related events in sequential order in the Events view.

Beginning with Version 11.5, you can drill into the metadata in the Filter Events panel, without leaving the Events view. The list of meta keys and meta values shown is related to all events seen in the environment for the time range in the query. When you find the drill point of interest in the Filter Events panel, you can open the Events panel to see the sequential events. The set of events loaded in the Events view is smaller and loads faster. The flow of an investigation is smoother with less hopping between views. The figure below illustrates the panel, open to the left of the Events panel.
The initial view of the Filter Events panel

Note: There are two situations in which results in the Filter Events panel may not be as expected:
-In a mixed-mode environment with a Version 11.5 Broker and some Core services at RSA NetWitness Platform Version 11.4 or earlier, a text filter is not supported in the Filter Events panel. If the query in the Events panel includes a text filter, the result set in the Events panel and Filter Events panel may be different.
-If the query in the Events view query builder has a logical OR or &&, the results in the Events view may be different from results for the same query in the Navigate view and Legacy Events view. In this situation, a set of parentheses automatically encloses the logical OR expression in the Navigate view and Legacy Events view, while parentheses have to be manually added in the Events view. If this occurs, you need to enclose the logical OR expression in an additional set of parentheses; select the two filters in the query bar, right-click one of them, and select Wrap in parentheses in the menu.

Modes of Operation

The Filter Events panel has two modes of operation.

  • The condensed Filter Events panel is part of a faceted search view into the data (shown above). Left- or right-clicking a meta value adds a new filter, automatically executes a new query, and displays matching events in the sequential list of events. When both panels are open, you can drill into the data in both the Filter Events panel and the Events panel . Each time you left-click a meta value in the Filter Events panel, an expression is appended to the query bar, and the query is executed by default. The query results show new metadata to filter by in the Filter Events panel and the resulting events that match the query in the Events panel. If you change the service or other query elements in the Events panel, you need to execute the query to reload the Filter Events panel.
  • The fully expanded Filter Events panel uses the full width of the browser window to provide ample real estate to hunt through the metadata without the performance load of immediately submitting a query or viewing the sequential events. As you click a new meta value and drill into the meta values, each meta value is added to the query filter and executed in the Filter Events panel, so that the number of events seen is reduced. Because the Events panel is closed, the query in the Events panel is not updated and the query is not executed. When you collapse the Filter Events panel back to original size, the Events list opens and the query is executed. This is an example of the fully expanded panel.

example of the fully expanded Filter Events panel

View Metadata in the Filter Events Panel

To view metadata in the Filter Events panel:

  1. Go to Investigate > Events, select a service to investigate, and select a time range.
  2. (Optional) Select a column group or a query profile.
  3. Click the Submit Query button to load events in the Events panel.
    A query is executed in the Events panel and matching events are listed,
  4. Click the Filter button (the Filter button) in the Events panel.
    The Filter Events panel opens to the left of the Events panel.
    The initial view of the Filter Events panel

The Default Meta Keys meta group is in effect the first time you log in. If you selected a different meta group the last time you logged in, it remains in effect until browser cache is cleared. See Use Meta Groups to Focus on Relevant Meta Keys for details about meta groups. Based on the contents of the index file for the service, the Filter Events panel is populated with the first 25 meta keys that have at least one meta value and are open. When using the Default Meta Keys group in the Filter Events panel, only the first 30 meta keys with values are open and the remaining are closed. Closed meta keys may be listed, but they do not count toward the 25 or 30 meta keys total. Meta keys with no values are listed at the bottom of the panel. You can expand, collapse, and close the panel using the standard panel controls (expand or collapse left icon, expand or collapse right arrow, and close button).

Understand Visible Metadata

Each meta key has a list of meta values, with up to 20 values displayed by default. You can click Show More Values to incrementally add 20 meta values, up to a total of 1,000 meta values, which is a hard-coded limit to optimize performance. The meta key name and plain English name of each meta key found in the service, both populated and non-populated, are listed. For each meta value, you can see the number of events in the current results that contain the value (count) or the size of the events in the current results (size). For example, the following might be listed:

Action Event [action] (3)
get(3016) login (1346) put (501)

In this example, the meta key name is action, the English name is Action Event, and three meta values were found for this meta key. There were 3016 events containing get, 1346 events containing login, and 501 events containing put. The values are ordered so that the value with the largest count is listed first.

In the following example, the same meta key has the values ordered based on the event size in bytes. The smallest size is listed first:

Action Event [action] (3)
login (13,034,588) put (21,848,760) get (1,409,079,256)

An icon before each meta key name identifies the indexing method for the key. The indexing method determines the types of interactions and queries possible using that meta key.

  • This meta key is indexed by value: a meta key indexed by value. The green color indicates that the all available interactions and queries are supported. You can see the available interactions in the context menu by right-clicking the meta value.
  • This meta key is indexed by meta key: a meta key indexed by meta key. The yellow color is a clue that a subset of available interactions is supported, and queries on this meta key may take longer than meta keys that are indexed by value. You can see the available interactions in the context menu by right-clicking the meta value.
  • This meta key is not indexed: a non-indexed meta key. Values for non-indexed meta keys cannot be used to query. If you want to query a meta key that is not indexed, your administrator needs to edit the index file for the service to index the meta key by value or meta key.

If an error occurs while loading a meta key, the other meta keys load as usual and an error message is displayed in the meta key that did not load. When you execute a new query, some error messages disappear. Meta keys that have no values in the set of events are listed at the bottom of the panel.

Set the Ordering Method for Meta Values

With the Filter Events panel open, you can look at two parameters for each value: the event count or the event size. Each meta key entry includes either the event count or the event size in parentheses after the value. In both cases, there are four options for ordering.

To use the ordering options:

  1. With the Filter Events panel open, click the ordering menu label, which is named according to the selected ordering option. This is an example of the menu label when ordering by event count in ascending order by total count: the Ordering menu label showing the selected method.
    The Ordering menu is displayed. This figure shows the narrow version of the menu.
    the Ordering Menu in the Filter Events view the Ordering menu showing Event Size options
  2. If you want to see the event count in parentheses after each value, select one of the following options. By default, the meta keys are displayed using the Event Count > Descending by Total Count method.
    1. To order by total count of events in which the value was found, select either Descending by Total Count or Ascending by Total Count.
    2. To order by the name of the value, select either Ascending by Value or Descending by Value.
  3. If you want to see the size in bytes of the events in which the value was found, select one of the following options.
    1. To order by total size of events in which the value was found, select either Descending by Total Size or Ascending by Total Size.
    2. To order by the name of the value, select either Ascending by Total Size or Descending by Total Size.
      Under each meta key in the Filter Events panel, the values are ordered according to your selection.
      Values sorted by event count in ascending order

Drill into Meta Values

With the Filter Events panel open, you can drill into meta values to focus an investigation down to the smallest possible set of relevant events. Drilling in the fully expanded Filter Events panel adds filters to the query bar and refines the displayed metadata in the Filter Events panel, but does not execute the query in the Events panel. Drilling in the narrow panel, side by side with the Events panel, adds the filter to the query bar and executes the query in the Events panel and the Filter Events panel. This figure is an example of the fully expanded panel with some metadata loaded.

an example of the Filter Events panel with meta values sorted by total count

To drill into meta values in the fully expanded Filter Events panel:

  1. Look for a meta value that is of interest, and click the value. Using the figure above as an example, to investigate the SMTP service type as opposed to other service types, click 25[SMTP].
    The other service types are filtered out of the metadata in the Filter Events panel, but the query is not executed in the Events panel.
  2. Repeat step 1 with another meta value, for example, writetoexecutable in the Action Event [action] meta key. Continue drilling into values until you find a set of events (drill point) that you want to see in sequential order.
  3. To view the sequential events for the drill point, click the left double arrows to shrink the Filter Events panel.
    The Events panel opens to the right, and the query is executed in the Events panel so that you can see the raw events in sequential order.

To drill into meta values in the narrow Filter Events panel:

  1. Look for a meta value that is of interest, and click the value. Using the figure above as an example, to investigate the SMTP service type as opposed to other service types, click 25[SMTP].
    The filter is added as the last filter in the query bar, other service types are filtered out of the metadata in the Filter Events panel, and the query is executed in the Events panel.
  2. Continue clicking values to refine the set of events (drill point). As you refine the set of events, examine and reconstruct the raw events for the same set in the Events panel.

Copy the Meta Values for a Meta Key

To copy all of the visible meta values for a meta key:

  1. In the meta key row of an entry, click the Meta Key options button (the Meta Key options).
    The Meta Key options are displayed. Currently the only option is Copy Values.
    the Copy Values option for a selected meta key
  2. Click Copy Values.
    A comma-separated list of the values is copied to your local clipboard. This is an example of the clipboard contents: "get", "login", "put".

 

View a Selected Meta Value in RSA Live

  1. Right-click a meta value, for example login.
    The Meta Value drop-down menu is displayed with the Copy option selected initially.
    example of the options for a meta value
  2. To look up the meta value, for example success, in RSA Live, select Live Lookup.
    The Live Search view is displayed with the meta value entered in the Generated Meta Values field, and ready for a search.

    Live Search View

Refocus the Investigation of a Meta Value

For each value listed under a meta key, the focus is <meta key> = <meta value>. When you right-click a meta value, a context menu with different refocus options is displayed. All of the refocus actions update the drill point in the Events panel and the Filter Events panel.

  1. To append the key-value pair to the query with different operators (=, !=, contains), right-click a meta value (for example UDP in the figure below) and select one of the Apply <operator> Drill options.
    the options when right-clicking a value
  2. To start the query over with the key-value pair and a different operator (=, !=, contains), right-click a value and select one of the Refocus <operator> Drill options.
    the Refocus options
  3. To append the key-value pair to the query or start the key-value pair over in a new browser tab, right-click a value and select one of the Refocus New Tab > Refocus <operator> Drill in New Tab or Refocus <operator> Drill in New Tab options.
    the Refocus New Tab options
    The drill is refocused according to your choice, and the new query is executed in the Events panel.
 

You are here
Table of Contents > Refining the Results Set > Drill into Metadata in the Events View (Beta)

Attachments

    Outcomes