000034217 - Some values are indexed while others are not within the same meta language key for RSA NetWitness

Document created by RSA Customer Support Employee on Nov 2, 2016Last modified by RSA Customer Support on May 6, 2019
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000034217
Applies ToRSA Product Set: Security Analytics (10.5.x, 10.6.x), Netwitness for Logs and Network (11.x)
RSA Product/Service Type: SA Server (10.5.x, 10.6.x), Admin Server (11.x)
RSA Version: 10.5.x and higher 
Platform: CentOS 6, 7
 
IssueWhen a customer drills down on a meta key result, some times that value may not be found even though other values exist.

One possible reason is the index space available for the meta value has reached the maximum number of unique values (valueMax) within the index memory slice of the investigation/report. 
ResolutionIf the meta key level is set to "IndexValues" in the index-concentrator.xml or index-concentrator-custom.xml, then increasing the "valueMax" parameter for the meta key will increase the number of unique values that can be captured and displayed.

Example:

from:

<key description="Crypto" level="IndexValues" name="crypto" valueMax="50000" format="Text"/>


to:

<key description="Crypto" level="IndexValues" name="crypto" valueMax="100000" format="Text"/>


Check the new needed value with the customer.

Note: It is important to realize that valueMax values should not be pushed to a larger number than is required for the key. Default valueMax arguments are designed as a failsafe to keep indexes from growing to an unmanageable size.

Caution: Setting IndexValues keys to very high levels can have a significant impact on performance - It is strongly recommended that no key should be bigger than 5,000,000 and only a handful (if necessary) are set at more than a million. If it is believed that there is a need to configure several language keys over 2.5 million, carefully review the keys to determine if there is a better option (such as an application rule or configuring the keys to be "IndexKeys"). Keys set as  "IndexKeys" do not have a valueMax setting as they take up less space in the indexes but come with their own pros and cons which is beyond the scope of this article. 

Contact Netwitness Customer Support with any questions.
Notes

How to know the number of unique values indexed for a specific meta key in RSA Netwitness discusses how to check the number of unique values for meta keys within the current index slice.

Attachments

    Outcomes