000035935 - "Service is already in this deployment" is returned when adding an Event Stream Analysis service in RSA NetWitness

Document created by RSA Customer Support Employee on Feb 12, 2018Last modified by RSA Customer Support Employee on Apr 10, 2019
Version 2Show Document
  • Comment0
  • View in full screen mode

Article Content

Article Number000035935
Applies To

RSA Product Set:- Netwitness
RSA Product/Service Type:- ESA, SA Server
RSA Version/Condition: 10.5.x, 10.6.x, 11.x
Platform: CentOS

IssueAn error similar to below occurs when trying to add an Event Stream Analysis service to ESA Services under SA Web GUI > Alerts > Configure > DEPLOYMENTS (for SA 10.x) or NW Web GUI > CONFIGURE > ESA RULES >DEPLOYMENTS (for NW 11.x).
""Service is already in this deployment" The service "ESA - Event Stream Analysis" is already part of the deployment "TEST ESA""
 
CauseThe error is returned when esaServiceInfos field in the synchronization table already contains some values. Synchronization database resides on SA server or NW Admin Server and it stores Event Stream Analysis rules & deployment details.
Resolution
  1. Open the SSH to SA Server or NW Admin Server and run the below commands to verify the deployment name.
     
    For 10.5.x and 10.6.x, perform these steps.

    An example of the expected output is shown below with the name of deployment highlighted in red.




    #mongo sa
    > db.synchronization.find().pretty()
    {
            "_id" : ObjectId("58a2af3ce4b0bca8c6393661"),
            "_class" : "com.rsa.smc.sa.esa.domain.bean.Synchronization",
            "name" : "TEST ESA", 
            "esaServiceInfos" : [
                    {
                            "deviceId" : NumberLong(7),
                            "hostname" : "x.x.x.x",
                            "port" : 50030,
                            "lastSuccessfulSync" : ISODate("2017-12-31T16:38:34.515Z"),
                            "successfulSync" : true,
                            "master" : false
                    }
            ],



    For 11.x, follow these steps.




    # mongo admin -u deploy_admin -p
    Enter password:
    > show dbs
    (sa shows up)
    > use sa
    > db.synchronization.find().pretty()
    {
            "_id" : ObjectId("58a2af3ce4b0bca8c6393661"), 
            "_class" : "com.rsa.smc.sa.esa.domain.bean.Synchronization",
            "name" : "TEST ESA",
                 "esaServiceInfos" : [
                    {
                            "deviceId" : NumberLong(7),
                            "hostname" : "x.x.x.x",
                            "port" : 50030,
                            "lastSuccessfulSync" : ISODate("2017-12-31T16:38:34.515Z"),
                            "successfulSync" : true,
                            "master" : false
                    }
            ],
                    


     


  2. To clear esaServiceInfos field from the synchronization table in 'sa' database, run below command on SSH to SA Server or NW Admin Server
    #mongo sa
    > db.synchronization.update({name:"<name of deployment>"},{$unset: {"esaServiceInfos": ""}}) 
    e.g.db.synchronization.update({name:"TEST ESA"},{$unset: {"esaServiceInfos": ""}}) if the name of deployment is "TEST ESA".
     
  3. Add the Event Stream Analysis service to ESA Services under SA Web GUI > Alerts > Configure > DEPLOYMENTS (for SA 10.x) or NW Web GUI > CONFIGURE > ESA RULES >DEPLOYMENTS (for NW 11.x).
    You should be successfully able to add the ESA service to ESA Services now. 

     


Attachments

    Outcomes