000029950 - Concentrator unable to catch up to decoder in RSA Security Analytics and NetWitness Plaform

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on Sep 16, 2019
Version 5Show Document
  • View in full screen mode

Article Content

Article Number000029950
Applies ToRSA Product Set: Security Analytics, NetWitness
RSA Product/Service Type: Concentrator, Decoder
RSA Version/Condition: 10.x , 11.x
IssueWhen a failed concentrator is brought back online (for reason inspecific) without its previous meta set, the concentrator may fail to reasonably catch up to the decoder due to the sheer volume of decoder data (several terabytes, for example).  In circumstances such as this, a practical solution is to establish a reasonable amount of metadata that the concentrator will be able to consume based on time.

Please note: changes to the timeRoll settings prunes data based on time on the decoder.  Once the data is pruned it is no longer available.

How to use the timeRoll parameter on a packet decoder

timeRoll will prune data in the db based on time in either hours or days.

From the NW UI (any 10.X/11.X version), 
  1. Select the Explorer view on the appliance, select Database.
  2. Right click on Database and choose Properties.
  3. On the lower section of the screen will be the section Properties for Decoder  (decoder)/database.
  4. Click on the pulldown next to Parameters.
  5. By default, ls the option, click on the pulldown and select timeRoll.  For example:

User-added image


  1. In the parameter window, enter a database value to pass to timeRoll.
    1. Example 1:  timeroll of Metadb based off of date

type=meta date="2019-08-11 12:30:00"
..prunes meta earlier than August 11, 2019 12:30:00 .
Output: Removed 10 meta files.  

  1. Example 2: timeroll of Metadb based off of 10 days

type=meta days=10

..prunes meta earlier than 10 days
Output: Removed 1 meta files.