000039460 - Report fails when lookup_and_add rule action used in RSA NetWitness Platform

Document created by RSA Customer Support Employee on Nov 19, 2020
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000039460
Applies ToRSA Product Set: RSA NetWitness Platform
RSA Product/Service Type: Reporting Engine
RSA Version/Condition: 11.3.2.0
Platform: CentOS
O/S Version: 7
 
IssueWhen Report ran with lookup_and_add rule action using Reporting: NWDB Rule Syntax document, The report fails with the below error.
 

Error occurred while fetching data from source 'BROKER[10.10.1.1]'. Error details : rule syntax error: expected a comma-separated list of quoted string ranges or values or a comma-separated list of keys for device: 10.10.1.2:50005.
CauseThis issue is due to one of the data sources of broker does not have real-time data. lookup_and_add rule action iterates through a list of values in a result set and lookup additional metadata. If one datasource offers no values for report duration, that report fails with an error.
WorkaroundPlease Investigate the data source (From error log, 10.10.1.2 concentrator) concentrator why real-time logs are not available.

Possible causes:
  • Concentrator aggregation stopped.
  • Concentrator aggregation has huge sessions.behing with status consuming.

This can be verified in ADMIN->Services->Concentrator->Config->General Page.
Once real-time data available in all data sources of Broker, the report runs successfully.
 

Attachments

    Outcomes