The ADMIN > System > Investigation Configuration panel provides the user interface for administrators to configure the system-wide settings that NetWitness Platform Investigate uses when analyzing data and reconstructing an event. To access the Investigation Configuration panel, Go to ADMIN > System and select Investigation.
The settings allow an administrator to manage application performance for Investigate. As analysts analyze and reconstruct sessions that they are investigating, performance can be affected by operations that involve loading, searching, visualizing, and reconstructing large amounts of data.
What do you want to do?
|Role||I want to ...||Show me how|
|Administrator||Configure Navigate, Legacy Events, and Events view settings||Configure Investigation Settings|
|Administrator||Map Context Hub Meta Types||Configure Investigation Settings|
|Administrator||Clear reconstruction cache for services||Configure Investigation Settings|
The Investigation Configuration panel has four tabs: Navigate, Legacy Events, Context Lookup, and Events.
Though most fields in the tabs have a selection list with specific increments through the range of possible values, you can enter a value within the allowed range manually. An invalid entry is signaled by the field highlighted in red. When valid values are selected, clicking Apply in a given section puts the changes into effect immediately.
Render Threads Setting
The Render Threads Setting is a selectable value between 1 and 20, which defines the number of concurrent (Values) loads in the Navigate view. The default value is 1.
Parallel Coordinates Settings
The Parallel Coordinates Settings apply to the Parallel Coordinates visualization in the Navigate view. There is a fixed limit on the amount of data that can be rendered as a parallel coordinates chart. In NetWitness Platform the administrator can configure parallel coordinates limits here.
The following table describes the Parallel Coordinates Settings.
|Meta Values Scan Limit||The maximum number of meta values scanned within the time range the analyst has selected in the Navigate view. Possible values are in the range of 1,000 to 10,000,000. The default value is 100,000.|
|Meta Values Result Limit||The maximum number of meta values returned within the time range the analyst has selected in the Navigate view. Possible values are in the range of 100 to 1,000,000,000. The default value is 10,000.|
Legacy Events Tab
The Legacy Events tab provides configurable settings that affect the investigation of events. This tab has five sections: Enable Legacy Events, Event Search Settings, Reconstruction Settings, Web View Reconstruction Settings, and Reconstruction Cache Settings. The following figure shows the top part of the Legacy Events tab.
Enable Legacy Events
The Enable Legacy Events checkbox enables and disables the Legacy Events view. The Legacy Events view has been replaced by the Events view in Version 11.4, and is disabled by default. If analysts want to use the Legacy Events view, you can enable the view using the checkbox. When the Legacy Events view is enabled, it is available in addition to the Events view.
Event Search Settings
The Event Search Settings help to limit the number of events scanned when searching in the Legacy Events view.
The following table describes the Event Search Settings.
|Events Scanned Limit||The maximum number of events to scan when searching in the Legacy Events view. The actual number of events scanned may be slightly greater than the limit set here.|
|Events Result Limit||The maximum number of results to return when searching in the Legacy Events view. The actual number of results returned may be slightly greater than the limit here.|
As analysts reconstruct sessions that they are investigating, some events can be very large and contain many thousands of source packets. Reconstructing these sessions, especially in a multi-user environment, can degrade application performance. The Reconstruction Settings allow an administrator to limit the number of packets and the size of a single event during reconstruction.
The following table describes the Reconstruction Settings features.
|Maximum number of packets for a single event||This setting protects performance by placing a limit on the number of packets processed for a single event reconstruction.|
Possible values are in the range from 100 to 10,000 packets, using manual entry or increments of 100 from the selection list. The default value is 100 packets.
|Maximum size, in bytes of a single event||This setting protects performance by placing a limit on the maximum size, in bytes, of a single event reconstruction. |
Possible values are in the range from 102,400 to 104,857,600 bytes, using manual entry or increments of 10,240 from the selection list. The default value is 2,097,152 bytes.
|Allow Full Packet Reconstruction Override||When this checkbox is selected, the analysts is provided with a Use More Packets button in the Reconstruction Panel. This enables the NW Server to regenerate events using all the packets available in the Event.|
|Allow Parsing of HTML Charset for Web pages||This option allows the NetWitness Server to identify the web page encoding defined in the HTML meta tag instead of the HTTP header. The default setting is disabled.|
Web View Reconstruction Settings
The Web View Reconstruction Settings allow an administrator to configure settings that improve the reconstruction of a web view by scanning and reconstructing related events that contain the same supporting files. When NetWitness Platform is reconstructing a web view that spans multiple events, it is possible to improve the reconstruction of the target event by scanning and reconstructing related events that contain the same supporting files, such as images and cascaded style sheet (CSS) files.
- The only related events scanned are HTTP service type events with the same source address as the target event, and a time stamp within a specified time range before and after the target event.
- The maximum number of related events to scan is configurable.
Clicking on the Advanced Settings option displays all configurable settings in this section.
The following table describes the Web View Reconstruction Settings.
|Enable supporting files for web view||This option determines how web views that have related data in other sessions are reconstructed. The default setting is enabled.|
When enabled, supporting files from related events can be used in the reconstruction of web views. Additional settings for calibrating the performance are enabled in this section, and Analysts have the option to enable CSS use in reconstructions.
When disabled, supporting files from related events are not used and the setting for analysts to enable CSS use in reconstructions is disabled.
|Time Range to Scan Related Events||Available when Enable supporting files for web view is checked. Configures the time range within which NetWitness Platform scans related events that are of the service type HTTP and have the same source address as the target event. This is a value between 0 and 60. |
|Limit the number of related events processed||Allows configuration of the maximum number of related events that NetWitness Platform scans within the specified time range to discover supporting files for the target event. By default, this is disabled. When enabled, the Maximum Related Events field becomes active.|
|Max Related Events||When Limit the number of events processed is enabled, this field specifies the maximum number of related events that NetWitness Platform scans within the specified time range to discover supporting files for the target event.|
This is a selectable value between 10 and 1,000, using an increment of 100. The default value is 100.
|Limit the number of packets and size of each related event||Overrides the general settings for the maximum number of packets and maximum size (in bytes) for individual related events.|
|Maximum Number of Packets for a Single Related Event||Possible values are in the range from 100 to 10,000 packets, using increments of 100 from the selection list. The default value is 100 packets.|
|Maximum Size, in Bytes, of a Single Related Event||Possible values are in the range from 102,400 to 104,857,600 bytes, using increments of 10,240 from the selection list. The default value is 524,288 bytes.|
Reconstruction Cache Settings
In some cases, the reconstruction cache can present incorrect content; for this reason NetWitness Platform removes reconstructions that are older than a day from the cache. The cache is cleaned every day at midnight. Between the daily cache cleanings, certain actions may result in stale cache being used for a reconstruction, and if the need arises, administrators can manually clear cache for one or more services that are connected to the current NetWitness Server.
The following table describes the Reconstruction Cache Settings features.
|Selection box||Selection box in individual rows and in the title bar allow selection of one or more, or all services that need to have cache cleared manually.|
|Clear Cache for Selected Services||Clears the reconstruction cache for each selected service.|
|Clear Cache for All Services||Clears the reconstruction cache for all services.|
Context Lookup Tab
Procedures associated with this panel are provided in "Manage Meta Type and Meta Key Mapping" in the Context Hub Configuration Guide. The following figure shows the Context Lookup tab.
The Context Lookup tab enables the administrator to configure the Investigate meta keys and meta type mapping. The administrator can add or remove meta keys found in Investigate to the list of meta types supported by Context Hub service. NetWitness Respond and Investigate use these default mappings for context lookup. For information about adding meta keys, see "Configure Context Hub Data Source Settings" in the Context Hub Configuration Guide.
The following table describes the features of the Context Lookup tab.
|Adds a meta key to the selected meta type supported by Context Hub.|
|Deletes the meta key from the selected meta type.|
|Apply||Saves the changes made to the Context Lookup tab.|
The following figure shows the Event tab.
The Events tab provides configurable settings that affect the number of events displayed in the Events panel. This tab has two sections: Events Panel Settings and Event Limit per User Role.
|Event Limit Default|| Specifies the maximum number of events loaded in the Events panel when a query is submitted. Possible values are integers between 100 and 40,000, and the default value is 5,000 events.|
If a query returns more events than the configured Event Limit Default, the Events panel title shows the analyst that more results are available but are not listed due to the limit. Increasing the limit may place additional load on the queried service; the ideal limit is determined by your environment.
|Event Limit Per User Role||Specifies the maximum number of events loaded for a single query for individual user roles. This limit must be less than or equal to the system events limit of 40,000, but it can be greater than the Event Limit Default.|
|Apply||Each setting has an Apply button, which saves the change. The change becomes effective immediately, and applies to any new queries submitted by users.|