|Applies To||RSA Product Set: Security Analytics|
RSA Product/Service Type: SA Core Appliance
RSA Version/Condition: 10.5.2.0
|Issue||The decoder on a hybrid decoder/concentrator is reporting that it is retaining more packet data then session or Meta. Shouldn't it be the opposite?|
|Resolution||The session and meta only exist long enough for the concentrator to consume them. There is enough space on the decoder of session and meta to run if there is an outage of the concentrator. That way when the concentrator comes back online it can pick up where it left off.|
When you investigate the concentrator it refers to its own session and meta even on a hybrid.
When you investigate the decoder your queries are on the raw packets and not the session and meta - you should have more retention of packet data on the decoder.
What you'll want to do is verify the retention of session and meta on the concentrator and compare that with the retention you have for decoder packets.