000034244 - How to find the number of unique values indexed for a specific meta key in RSA NetWitness

Document created by RSA Customer Support Employee on Oct 24, 2016Last modified by RSA Customer Support on May 7, 2019
Version 4Show Document
  • Comment0
  • View in full screen mode

Article Content

Article Number000034244
Applies ToRSA Product Set: Security Analytics, NetWitness Logs & Network
RSA Product/Service Type: Security Analytics Server, Concentrator
RSA Version/Condition: 10.5.x, 10.6.x, 11.x
Platform: CentOS
O/S Version: 6, 7

 
TasksThe following steps will provide important information regarding the meta key (eg. size consumed, number of unique values, etc.)
Resolution

From the RSA NetWitness UI, follow the steps below:



1. Navigate to Administration -> Services -> Concentrator -> View -> Explore
Step1


2. From the panel on the left-hand side of the page: right click on the "index" directory and choose the option "Properties."
Step2


3. Choose "inspect" from the first drop-down menu, and in the "Parameters" box next to it, type in the meta key in question, and press "Send." "key=reference.id" is the parameter used in this specific example below. You can replace the "reference.id" with the meta key of your choice.
Step3


4. Part of the output that you receive should be similar to the output below:




session1:1
 session2:1523490
 meta1:1
 meta2:34891779
 size:2772588674

key:reference.id
 pathname:/var/netwitness/concentrator/index/managed-values-1/reference.id.nwindex
 values:50
 summaries:1
 pages:1
 sessions:50
 size:18392
 packets:50
 summary1:250455
 summary2:250455
 session1:1171876
 session2:117195


 
Notes
  • Information about the values in Steps 3 and 4 can be found here: Appendix B: Index Inspect
  • The screenshots and outputs are taken from an 11.x environment but are very similar in a 10.6.x environment, with the order of the output slightly modified

Attachments

    Outcomes