Skip navigation

Log in to create and rate content, and to follow, bookmark, and share content with other members.

000039460 - Report fails when lookup_and_add rule action used in RSA NetWitness Platform

Document created by RSA Customer Support

on Nov 19, 2020

Version 1Show Document

Like • Show 0 Likes0
Comment • 0
View in full screen mode

Article Content

Article Number	000039460
Applies To	RSA Product Set: RSA NetWitness Platform RSA Product/Service Type: Reporting Engine RSA Version/Condition: 11.3.2.0 Platform: CentOS O/S Version: 7
Issue	When Report ran with lookup_and_add rule action using Reporting: NWDB Rule Syntax document, The report fails with the below error. Error occurred while fetching data from source 'BROKER[10.10.1.1]'. Error details : rule syntax error: expected a comma-separated list of quoted string ranges or values or a comma-separated list of keys for device: 10.10.1.2:50005.
Cause	This issue is due to one of the data sources of broker does not have real-time data. lookup_and_add rule action iterates through a list of values in a result set and lookup additional metadata. If one datasource offers no values for report duration, that report fails with an error.
Workaround	Please Investigate the data source (From error log, 10.10.1.2 concentrator) concentrator why real-time logs are not available. Possible causes: Concentrator aggregation stopped. Concentrator aggregation has huge sessions.behing with status consuming. This can be verified in ADMIN->Services->Concentrator->Config->General Page. Once real-time data available in all data sources of Broker, the report runs successfully.

Attachments

Outcomes

0 Comments

Recommended Content