Skip navigation

Log in to create and rate content, and to follow, bookmark, and share content with other members.

000026984 - How to optimize lookup_and_add queries in RSA NetWitness Platform Reporting Engine

Document created by RSA Customer Support

on Jun 14, 2016•Last modified by RSA Customer Support on Sep 23, 2019

Version 3Show Document

Like • Show 0 Likes0
Comment • 0
View in full screen mode

Article Content

Article Number	000026984
Applies To	RSA Product Set: NetWitness Logs & Network RSA Product/Service Type: NetWitness Server, NetWitness Archiver, NetWitness Broker, NetWitness Concentrator, NetWitness Reporting Engine RSA Version/Condition: 10.6.x, 11.x Platform: CentOS
Issue	How to optimize lookup_and_add queries in RSA NetWitness Reporting Engine?
Resolution	When using the RSA NetWitness Reporting Engine lookup_and_add queries, this can result in a vast number of subqueries being generated to complete the task. Because of this, running these queries can be very performance-intensive and take a long time to complete. The recommendations below may be used to modify the queries to improve their efficiency. Modify the maximum pending queries on Services. In the NetWitness UI, navigate to Admin > Services Select the Archiver, Broker or Concentrator service that will be the subject of the lookup_and_add queries and click on View > Explore Navigate to sdk > config in the directory tree in the left pane. Change the configuration value of the max.pending.queries to be 1000. (The default is 100) The change takes effect immediately. Repeat the above steps for all other services against which queries will be executed. Change the lookup_and_add queries configuration on the Reporting Engine Service. In the NetWitness UI, navigate to Admin > Services Select the Reporting Engine service that will be the subject of a query and click on View > Config In the General tab under System Configuration, change the Max # Concurrent LookupAndAdd queries setting to 10. (The default is 2) Change the query level for those NetWitness logins who are executing the lookup_and_add queries. In the NetWitness UI, navigate to Admin > Services Select the Archiver, Broker or Concentrator service that will be the subject of the lookup_and_add queries and click on View > Security Click on the users that will be making the queries and change the Core Query Timeout setting to 60, for a 60-minute timeout on queries. Repeat the above steps for all other Services against which the queries will be executed, or use the Replicate button to push the change to the other Services. If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article ID for further assistance.
Notes	Additional references to the lookup_and_add queries configuration are discussed in the Reporting User Guide
Legacy Article ID	a66602

Attachments

Outcomes

0 Comments

Recommended Content