000033622 - Query result has a limitation of 10,000,000 sessions retrieved in RSA Netwitness Reporting Engine

Document created by RSA Customer Support Employee on Aug 2, 2016Last modified by RSA Customer Support on Sep 6, 2018
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000033622
Applies ToRSA Product Set: Security Analytics, Netwitness Platform
RSA Product/Service Type: Core Appliance, Report Engine
RSA Version/Condition: 10.5.x, 10.6.x, 11.x
Platform: CentOS
O/S Version: 6/7
 
IssueThe maximum number of sessions retrieved by the WHERE clause query on the Reporting Engine is limited to 10 million (10,000,000).

 
CauseThe concentrator has a setting for /sdk/config/max.where.clause.sessions where the default value is 10 million and hence the result displays up to 10 million sessions.  
 
Jul 19 12:50:49 head01 NwBroker[4773]: [SDK-Query] [audit] User admin (session 2166457, 127.0.0.1:40964) has issued query (channel 6305023) (thread 21595): id1=766729193803 id2=1508946727145 threshold=0 query="select count(ip.proto) where (time='2016-Jul-18 12:50:00'-'2016-Jul-19 12:49:59') && ((ip.proto=17 && service=53)) group by ip.proto"
Jul 19 12:56:36 head01 NwBroker[4773]: [SDK-Query] [audit] User admin (session 2166457, 127.0.0.1:40964) has finished query (channel 6305023, queued 00:00:00, execute 00:05:47, 10.10.10.100:50005=00:05:47 10.10.10.101:50005=00:05:36 10.10.10.102:50005=00:04:35): id1=766729193803 id2=1508946727145 threshold=0 query="select count(ip.proto) where (time='2016-Jul-18 12:50:00'-'2016-Jul-19 12:49:59') && ((ip.proto=17 && service=53)) group by ip.proto"

Jul 19 12:50:49 concent01 NwConcentrator[23480]: [SDK-Query] [audit] User admin (session 715, 10.10.10.99:48082) has issued query (channel 1527486) (thread 23706): id1=2028691728823 id2=2247842067067 size=0 flags=0 threshold=0 query="select count(ip.proto) where (time='2016-Jul-18 12:50:00'-'2016-Jul-19 12:49:59') && ((ip.proto=17 && service=53)) group by ip.proto "
Jul 19 12:56:25 concent01 NwConcentrator[23480]: [Index] [warning] query where clause '(time='2016-Jul-18 12:50:00'-'2016-Jul-19 12:49:59') && ((ip.proto=17 && service=53))' hit the where clause session limit of 10000000

Jul 19 12:56:25 concent01 NwConcentrator[23480]: [SDK-Query] [audit] User admin (session 715, 10.10.10.99:48082) has finished query (channel 1527486, queued 00:00:00, execute 00:05:36): id1=2028691728823 id2=2247842067067 size=0 flags=0 threshold=0 query="select count(ip.proto) where (time='2016-Jul-18 12:50:00'-'2016-Jul-19 12:49:59') && ((ip.proto=17 && service=53)) group by ip.proto "
ResolutionTo resolve this issue, increase the value in /sdk/config/max.where.clause.sessions setting. Perform the following steps:
  1. Log in to the NetWitness UI as the admin user.
  2. Navigate to Admin Services.
  3. Select the Concentrator and click Actions > View > Explore.
  4. Expand /sdk in the left tree and click /sdk/config.
  5. Click the value field for  max.where.clause.sessions in the right frame.
  6. Increase the value to a value suitable for your deployment and press Enter.
  7. Schedule a report on the Reporting Engine after the change is complete.
  8. If you still see a Note in the schedule result, increase the value appropriately.

Be sure to monitor the system carefully, in case there is a possible performance issue.

NotesFor more information, please review our product documentation and knowledge base articles regarding /sdk/config/max.where.clause.sessions.

Attachments

    Outcomes