000033622 - Query result of count() function has a limitation in RSA Security Analytics Reporting Engine

Document created by RSA Customer Support Employee on Aug 2, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000033622
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: SA Core Appliance, SA Report Engine
RSA Version/Condition: 10.6.x, 10.5.x
Platform: CentOS
O/S Version: 6
 
IssueAfter upgrading Security Analytics from 10.3/10.4 to 10.5 or above, query result of count() on Report Engine is limited to 10 million. This worked fine before the upgrade.
 
CauseAs Report Engine query down to Concentrator hits the limit of /sdk/config/max.where.clause.sessions where the default value is 10 million, the result is ended up with the cap of 10 million. 
/sdk/config/max.where.clause.sessions is the new available setting since 10.5.
Jul 19 12:50:49 head01 NwBroker[4773]: [SDK-Query] [audit] User admin (session 2166457, 127.0.0.1:40964) has issued query (channel 6305023) (thread 21595): id1=766729193803 id2=1508946727145 threshold=0 query="select count(ip.proto) where (time='2016-Jul-18 12:50:00'-'2016-Jul-19 12:49:59') && ((ip.proto=17 && service=53)) group by ip.proto"
Jul 19 12:56:36 head01 NwBroker[4773]: [SDK-Query] [audit] User admin (session 2166457, 127.0.0.1:40964) has finished query (channel 6305023, queued 00:00:00, execute 00:05:47, 10.10.10.100:50005=00:05:47 10.10.10.101:50005=00:05:36 10.10.10.102:50005=00:04:35): id1=766729193803 id2=1508946727145 threshold=0 query="select count(ip.proto) where (time='2016-Jul-18 12:50:00'-'2016-Jul-19 12:49:59') && ((ip.proto=17 && service=53)) group by ip.proto"
Jul 19 12:50:49 concent01 NwConcentrator[23480]: [SDK-Query] [audit] User admin (session 715, 10.10.10.99:48082) has issued query (channel 1527486) (thread 23706): id1=2028691728823 id2=2247842067067 size=0 flags=0 threshold=0 query="select count(ip.proto) where (time='2016-Jul-18 12:50:00'-'2016-Jul-19 12:49:59') && ((ip.proto=17 && service=53)) group by ip.proto "
Jul 19 12:56:25 concent01 NwConcentrator[23480]: [Index] [warning] query where clause '(time='2016-Jul-18 12:50:00'-'2016-Jul-19 12:49:59') && ((ip.proto=17 && service=53))' hit the where clause session limit of 10000000
Jul 19 12:56:25 concent01 NwConcentrator[23480]: [SDK-Query] [audit] User admin (session 715, 10.10.10.99:48082) has finished query (channel 1527486, queued 00:00:00, execute 00:05:36): id1=2028691728823 id2=2247842067067 size=0 flags=0 threshold=0 query="select count(ip.proto) where (time='2016-Jul-18 12:50:00'-'2016-Jul-19 12:49:59') && ((ip.proto=17 && service=53)) group by ip.proto "
ResolutionIncrease /sdk/config/max.where.clause.sessions. 
  1. Login to the Security Analytics UI as the admin user
  2. Navigate to the Administration -> Services page
  3. Click on the Action button for the Concentrator in the far right column and select View -> Explore
  4. Expand /sdk in the left tree and click /sdk/config
  5. Click the value field of max.where.clause.sessions in the right frame
  6. Increase the value and press Enter
  7. Test the query on Report Engine with monitoring Concentrator log.
  8. If you still see hit the where clause session limit of log, increase the value more properly.
  9. Customer needs to monitor the system carefully as well in case of possible performance issue.
NotesRefer to sadocs page about /sdk/config/max.where.clause.sessions for more information.

Attachments

    Outcomes