|Applies To||RSA Product Set: Security Analytics, NetWitness|
RSA Product/Service Type: Concentrator, Decoder
RSA Version/Condition: 10.x , 11.x
|Issue||When a failed concentrator is brought back online (for reason inspecific) without its previous meta set, the concentrator may fail to reasonably catch up to the decoder due to the sheer volume of decoder data (several terabytes, for example). In circumstances such as this, a practical solution is to establish a reasonable amount of metadata that the concentrator will be able to consume based on time.|
Please note: changes to the timeRoll settings prunes data based on time on the decoder. Once the data is pruned it is no longer available.
How to use the timeRoll parameter on a packet decoder
timeRoll will prune data in the db based on time in either hours or days.
From the NW UI (any 10.X/11.X version),
type=meta date="2019-08-11 12:30:00"
..prunes meta earlier than August 11, 2019 12:30:00 .
Output: Removed 10 meta files.
..prunes meta earlier than 10 days
Output: Removed 1 meta files.