000032400 - Meta values take a long time to load in investigations after upgrading to RSA Security Analytics 10.5

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000032400
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: Security Analytics UI, Decoder, Concentrator, Archiver
RSA Version/Condition: 10.5.x
Platform: CentOS
IssueAfter upgrading to Security Analytics 10.5.x from 10.4.x, investigations experience poor performance.  
Meta values which previously loaded quickly in 10.4.x may take 5-10 minutes or longer to load.
CauseThis issue occurs because the index database slicing was changed between versions 10.4.x and 10.5.x, wherein size-based slice rolls were introduced to replace the time-based index slice rolls.
In earlier releases, the use of size-based index slicing caused indexes to roll every 8 hours, regardless of how much data was contained in the index slice.
While this model is suitable for high bandwidth utilization, when Concentrators, Decoders, or Archivers are under light load it may cause the index partition to contain a very large number of very small index slices. 
These tiny index slices require open operations in the Investigation module to traverse a great number of indexes to retrieve the same amount of information.
WorkaroundAs explained in the Security Analytics 10.5 Core Database Tuning Guide, under certain circumstances the only way to rectify extreme performance sluggishness in investigations after upgrading to Security Analytics 10.5.x is to perform a core appliance database reindex.
NOTE:  No data can be collected on decoders while a reindex is being performed.  
Depending on the amount of data, the reindex may take several days to complete on a loaded Concentrator or Decoder, and may potentially take several days on an Archiver as well.
For instructions on performing a manual index on a Concentrator, Decoder, or Archiver appliance, refer to the article entitled How to Index Reset an RSA Security Analytics Appliance in Explore View.