000032786 - Deployed Rule Memory Utilization shows 0 in Health and Wellness when Capture Time Ordering is enabled in RSA Security Analytics

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000032786
Applies ToRSA Product Set: Security Analytics

RSA Product/Service Type: Health & Wellness, Event Stream Analysis (ESA), Security Analytics UI

RSA Version:
IssueOnce StreamEnabled value is set to true (default value is false) for enabling Capture Time Ordering in ESA appliance, (Administration > Services > ESA > Explore > com.rsa.netwitness.esa > Workflow > Source > nextgenAggregationSource > StreamEnabled) the deployed ESA Rule Memory Utilization shows 0 in Health and Wellness.
AverageBytesPerMeta in Administration > Services > ESA > Explore > com.rsa.netwitness.esa > CEP > Engine > cepEngine always shows 0 when StreamEnabled is true.
ResolutionThis issue has been addressed in Security Analytics
WorkaroundDisable Capture Time Ordering in ESA.
  1. In the Security Analytics UI, select Administration > Services > ESA > Explore.
  2. Go to Workflow > Source > nextgenAggregationSource.
  3. Set the StreamEnabled attribute to false.
  4. Set the TimeOrdered attribute to false.
If you disable Capture Time Ordering, you will lose the backlogged data, and events will no longer be ordered by capture time.
NotesFor more information on Capture Time Ordering, refer to the Security Analytics 10.6 User Guide.