This topic provides information about possible issues that NetWitness Platform users may encounter when setting up their Context Hub service.
Prefetch for list fails if the list is created in append mode. The following error message is displayed in logs indicating that, entries in the list exceed the maximum allowed.
Error setting data source entries com.rsa.asoc.contexthub.exception.ContextHubException: total.entries.exceed.max
Also, Health & Wellness sets this stat: Contexthub.Datasource.Health.Data-Sources-Health to Unhealthy
and displays the names of the lists for which prefetch has failed.
For example, the number of entries in the list is 50001 and the number of records in the CSV file is 50001 because the user did not change the csv since the last prefetch. The upper limit on the number of entries in the list is 100,000. Now on prefetch, Context Hub will try to append 50001 entries to the list but since 50001 + 50001 > 100,000, prefetch fails.
In the csv file add only those entries that you wish to append to the existing .csv file. If you do not want to append any entries to the list, then perform one of these options, as applicable:
The SSL handshake with the Archer certificate fails while adding it as a data source.
Use an archer generated certificate with the Trust All Certificates option configured.
The Pivot to Investigate option in the Respond view does not navigate to the correct location.
|Restart the jetty service on the Netwitness Server, login to the Netwitness Server Host, and enter the service jetty restart command.|
|When you import a list with missing quotes in the list items such as 172.16.0.0, the list is saved without any data to display. This is due to the Apache bug CSV-141, which does not parse csv files with incorrect formats.||Import a list with correct quotes to avoid displaying an empty file. For example, “172.16.0.0”, “host.mycompany.com” and so on.|
Increasing the limit for alerts and incidents leads to a lookup error. By default, the number of alerts and incidents viewed is limited to 50.
If the limit is increased, the larger amount of looked-up metadata for alerts and incidents may lead to a lookup error due to an internal database restriction.
To resolve this, revert to the default settings that limit the number of alerts and incidents viewed to 50.