|Applies To||RSA Product Set: Security Analytics|
RSA Product/Service Type: SA Security Analytics Server
RSA Version/Condition: 10.5.x, 10.6.x
O/S Version: CentOS
Product Name: Netwitness for Logs and Packets
|Issue||When a customer tries to drill on a particular value within a meta language key, some times a particular value may not be found however the meta language key is not empty of other values.|
One possible reason is the meta language key has reached the maximum number of unique values for this meta language key to be index (maxValue) within the index memory slice of the investigation/report.
|Resolution||If the meta language key is an IndexValues key, based on what is seen in the index-concentrator.xml or index-concentrator-custom.xml, then follow these steps to attempt to fix the issue.|
Increase the "valueMax" of the meta key in /etc/netwitness/ng/index-concentrator-custom.xml file as follows.
<key description="Crypto" level="IndexValues" name="crypto" valueMax="50000" format="Text"/>
<key description="Crypto" level="IndexValues" name="crypto" valueMax="100000" format="Text"/>
Check the new needed value with the customer.
Note: It is important to realize that these valueMax values should not be pushed to a larger number than is required for the key. These valueMax numbers are designed as a failsafe to keep the indexes from growing to an unmanageable size. No single IndexValues langauge key should be bigger than 5,000,000. Also there should not be more than a few at this level. If it seems that there needs to be several language keys over 2.5 million, look over the keys and see which ones may be changes to IndexKeys instead. IndexKey meta language keys do not have a valueMax setting as they take up less space in the indexes but come with their own pros and cons which is beyond the scope of this article.
Contact Netwitness Customer Support with any questions.
|Notes||In order to check the number of unique values for meta keys within the current index slice check this KB:|