000031334 - ESA Alerts Summary page is blank or displays "Error getting data" in the RSA Security Analytics UI

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on Aug 21, 2019
Version 4Show Document
  • Comment0
  • View in full screen mode

Article Content

Article Number000031334
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: Event Stream Analysis (ESA), Security Analytics UI
RSA Version/Condition: 10.6.x
Platform: CentOS
Platform (Other): MongoDB
O/S Version: EL6
IssueWhen navigating to the Alerts -> Summary page in the RSA Security Analytics UI, the error message "Error getting data" is displayed.
User-added image

The Alerts Summary page may also simply be blank with no data being displayed, as shown below.
User-added image
CauseThis issue occurs when the MongoDB database that stores the ESA alerts becomes too large.
ResolutionRun the following command from an SSH session of your ESA host to check the size of the ESA alert database:

# echo 'show collections' | mongo esa -u esa -p esa



You will receive an output similar to the following:




mongo

Workaround

To maintain the size of the ESA alert database at a manageable level, please refer to the article entitled ESA Config: Configure ESA Storage.




To reduce the size of the ESA alert database, there are a few options:



  • Event Stream Analysis troubleshooting script (ESATool) for the RSA NetWitness Platform

    • Please note that this process may not complete if the size of the ESA alert database is very large.
  • If ESATool does not resolve the issue, run the following commands from an SSH session of the ESA host in question: 

    > service tokumx stop
    > service tokumx start
    > mongo esa -u esa -p esa
    > db.alert.drop()


    Please note: db.alert.drop() will permanently remove all of the alerts that are currently in the ESA alert database.

Attachments

    Outcomes