000032470 - Unable to investigate on a meta value even when the value exists when looking at session in RSA Security Analytics

• When investigating, the meta is shown when but when you click on the green number no sessions are shown.
• A large number of unique values exist in the meta key
• In /var/log/messages on the concentrator the following message will be seen:

Jan 27 10:35:26 logconc NwConcentrator[2638]: [Index] [warning] Index key event.desc has reached max capacity of 1000 values and will ignore new values for this slice.

The issue with meta being seen in the session but not being able to investigate on, is often due to the number of unique meta key values filling up beyond the "Value Max Parameter" specified in the index.
The Value Max parameter in the index-concentrator.xml or index-concentrator-custom.xml determines the number of unique values that the meta key can hold per index slice. By default an index slice gets created every 8 hours, or if it has been configured every 600 Million Sessions. 
If for example your meta key holds 1000 values, then additional unique values will not be indexed, which means that you cannot click through to them when investigating. 
The values can be viewed though when you look at the event session view. 
The solution to this it one of the following: 
1) If the values stored in the metakey are as desired, then increase the value max setting in the index-concentrator-custom.xml for this meta key. Restart the concentrator service for the changes to then take effect. 
2) If the values in the metakey are not desired - perhaps there is a lot of misparsed information or other information being stored in the this metakey, then the best approach is to identify the source of this misparsed information and then correct it. This might for example involve updating a parser.  An example of misparsed information can be seen here:

Here we see that the event description key is holding a lot of unique values, that are essentially similar. The values are of the following form:

event.desc = 'postfix/postdrop[936]: warning: mail_queue_enter: create file maildrop/170032.936: no space left on device'

The parser should be updated so that these messages are broken down into constituent parts.
A more appropriate event description would perhaps be "no space left on device".
This would then prevent the event description meta key filling up with values that we are not interested in.