|Applies To||RSA Product Set: RSA NetWitness Logs & Network, Security Analytics|
RSA Product/Service Type: Archiver, Log Decoder
RSA Version/Condition: 10.4.x,10.5.x,10.6.x
|Issue||How to add additional meta keys to Archiver if it is required.|
Editing defined meta keys in index-archiver-custom.xml through UI:
Alternatively, from SSH you can edit /etc/netwitness/ng/index-archiver-custom.xml directly.
10.6.X Product Documentation Reference - https://community.rsa.com/docs/DOC-83506
|Notes||Archivers are not intended to index the same number of meta keys as Concentrator services. By default around 41 meta keys are indexed from Log Decoders.|
The Product Documentation contains the following warning advising that the more meta keys are indexed by the Archiver, the lower the session retention time (as metadb is larger) and the more resources will be required for storage and use of these meta keys.
Caution: Adding meta or indexes will require additional storage, CPU resources, and Memory resources to support, and may impact retention time. As more meta items are added to the Archiver, the maximum aggregation rate will decrease, and the time to execute reports will increase.
Source: 10.6.5 Product Documentation Reference - https://community.rsa.com/docs/DOC-83105