000029543 - The vis.level key is not populating meta for use with RSA NetWitness Visualize

Document created by RSA Customer Support Employee on Jun 15, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000029543
Applies ToRSA Product Set: Security Analytics, NetWitness NextGen
RSA Product/Service Type: Security Analytics UI, Decoder, Informer, Visualize
IssueWhen attempting to use RSA NetWitness Visualize alongside RSA Security Analytics, it is discovered that the vis.level meta key is not populating the necessary data.
CauseAlthough the vis.level meta key is included in the index-concentrator.xml file on the concentrator appliances by default, the Visualize FlexParser is necessary to produce the meta for images that are good candidates for visualizations.
ResolutionIn order to deploy the Visualize FlexParser, follow the steps below.
  1. In the Security Analytics UI, navigate to Live -> Search.
  2. In the keywords field, type visualize and click on the Search button.
  3. Select the Visualize RSA FlexParser and click on the Deploy button.
  4. Follow the steps in the deployment wizard to deploy the parser to the decoder appliance.
Live Search for Visualize
After deploying the feed, meta should now begin to appear in the vis.level key, which is labeled as "Visualize Image" in the Investigation module within the Security Analytics UI, as shown below.
User-added image

If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article number for further assistance.