|Applies To||RSA Product Set: NetWitness Logs & Packets, Security Analytics|
RSA Product/Service Type: Reporting Engine, User Interface
RSA Version/Condition: 10.6.2 and above
O/S Version: EL6
|Issue||In the OOTB dashboard, the investigation query does not contain quotes for the new mete key (ex. direction) values when you click on investigate using the Traffic Flow Direction chart that is available in the Overview Dashboard.|
For example: query sent to core: direction=outbound && (direction exists). This will throw out error in UI:
The expected query is: direction='outbound' && (direction exists). It loads the results.
|Cause||This is a design issue of the way Charts and Dashlets are implemented as part of OOTB. The new meta which is added in the core appears in the schema only after 24 hours. If schema definition is not available in SA then it treats as "Undefined" meta and will not include the quote in a query.|