000035756 - New meta is not available in schema when the data source is added in RSA Security Analytics Reporting Engine

Document created by RSA Customer Support Employee on Nov 18, 2017Last modified by RSA Customer Support Employee on Mar 25, 2019
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000035756
Applies ToRSA Product Set: NetWitness Logs & Packets, Security Analytics
RSA Product/Service Type: Reporting Engine, User Interface
RSA Version/Condition: 10.6.2 and above
Platform: CentOS
O/S Version: EL6
IssueIn the OOTB dashboard, the investigation query does not contain quotes for the new mete key (ex. direction) values when you click on investigate using the Traffic Flow Direction chart that is available in the Overview Dashboard.

For example: query sent to core: direction=outbound && (direction exists). This will throw out error in UI: 

rule syntax error: expecting <quoted string> here: "outbound && (direction exists)) && time="2016-09-26 14:42:00""2016-09-27 14:42:59""

The expected query is: direction='outbound' && (direction exists). It loads the results.
CauseThis is a design issue of the way Charts and Dashlets are implemented as part of OOTB. The new meta which is added in the core appears in the schema only after 24 hours. If schema definition is not available in SA then it treats as "Undefined" meta and will not include the quote in a query.
WorkaroundPossible workarounds:
  • Restart the Reporting Engine or,
  • Remove and Re-add the data source to the Reporting Engine or,
  • Wait 24 hours to allow the schema cache to update.
Restarting the jettysrv service on the Security Analytics server is required to reflect the change in the dashlet query for the hyperlink used in the investigation query that was created during dashlet creation. When the  Reporting Engine schema cache is updated, the dashlet is not.