000034217 - Some values are indexed while others are not within the same meta language key for Netwitness

Document created by RSA Customer Support Employee on Nov 2, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000034217
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: SA Security Analytics Server
RSA Version/Condition: 10.5.x, 10.6.x
Platform: Linux
O/S Version: CentOS
Product Name: Netwitness for Logs and Packets
IssueWhen a customer tries to drill on a particular value within a meta language  key, some times a particular value may not be found however the meta language key is not empty of other values.
One possible reason is the meta language key has reached the maximum number of unique values for this meta language key to be index (maxValue) within the index memory slice of the investigation/report. 
ResolutionIf the meta language key is an IndexValues key, based on what is seen in the index-concentrator.xml or index-concentrator-custom.xml, then follow these steps to attempt to fix the issue.
Increase the "valueMax" of the meta key  in  /etc/netwitness/ng/index-concentrator-custom.xml file as follows.
<key description="Crypto" level="IndexValues" name="crypto" valueMax="50000" format="Text"/>

<key description="Crypto" level="IndexValues" name="crypto" valueMax="100000" format="Text"/>

Check the new needed value with the customer.
Note: It is important to realize that these valueMax values should not be pushed to a larger number than is required for the key. These valueMax numbers are designed as a failsafe to keep the indexes from growing to an unmanageable size. No single IndexValues langauge key should be bigger than 5,000,000. Also there should not be more than a few at this level. If it seems that there needs to be several language keys over 2.5 million, look over the keys and see which ones may be changes to IndexKeys instead. IndexKey meta language keys do not have a valueMax setting as they take up less space in the indexes but come with their own pros and cons which is beyond the scope of this article. 
Contact Netwitness Customer Support with any questions.
NotesIn order to check the number of unique values for meta keys within the current index slice check this KB:

How to know the number of unique values indexed for a specific meta key in RSA Netwitness