000034680 - How to index a new meta key on an Archiver within the RSA NetWitness Platform

Document created by RSA Customer Support Employee on Feb 2, 2017Last modified by RSA Customer Support on Dec 22, 2018
Version 8Show Document
  • View in full screen mode

Article Content

Article Number000034680
Applies ToRSA Product Set: Security Analytics, NetWitness Logs & Network
RSA Product/Service Type: Archiver, User Interface
RSA Version/Condition: 10.5.x, 10.6.x
Platform: Linux
O/S Version: CentOS
IssueUnlike other services, the Archiver requires an additional step in order to index a meta key.
ResolutionEven after updating the index-archiver-custom.xml file similar to the steps in the below KB article:

Meta not available on device' is displayed in RSA Security Analytics investigations

The following steps need to be done from the GUI to get this meta indexed 

  1. Administration -> Services -> Archiver -> config.
  2. Stop the Archiver service.
    User-added image 
  3. Edit the service and choose the needed meta to be indexed, then enter Archiver service username and password.

    User-added image 

  4. Click Apply and service should start again automatically.

At this point, this meta key will start to be indexed, old data will not be indexed.