|Applies To||Security Analytics UI 10.4.X|
|Cause||When navigating through various Event Sources under Event Monitoring System, some duplicate records may be found. Some of these records are correctly parsed but others are incorrectly parsed (under either "unknown" or "different" device types, as shown in the example below) . This is typically due to a known historical parsing issues where the Event Source may have been parsed incorrectly at the time of deployment.|
|Resolution||To rectify this issue, remove the duplicates by clearing the LogStats of the LogDecoder. This results in clearing all entries in ESM. Once this occurs, all new correctly parsed entries will be populated properly and all duplicates will be cleared.|
1. In SA UI, select the LogDecoder and go to Explore view.
2. Right click on decoder and select Properties.
3. In the drop-down list, select “logStats”. Click Send to confirm that duplicate data (similar what is seen in ESM tab) is shown.
4. Then, enter “op=clear” in Parameters and click Send again. The data will be cleared in the Log Decoder.
5. Upon restart of the SMS service the incorrectly parsed data will clear. From the command line via ssh, issue “service rsa-sms restart”.