RSA NetWitness® Suite Unified Data Model Glossary

Document created by RSA Link Team Employee on Mar 22, 2018Last modified by RSA Product Team on Aug 8, 2019
Version 3Show Document
  • View in full screen mode

Meta Class

High level classification of Meta concepts, to make it easier to browse the data model.

Meta Concept

Description of the Meta key.

Log Parser Key

Name of the key used in Log Parsers, which is mapped to the corresponding Meta key in the RSA NetWitness® Suite. (via Table-Map). 

Log Parser Key Flag

Flag used in the Table-Map, which decides if the Meta data is written to Disk or not. 

TransientThis will not save the meta data to disk, however it is used by Application/Co-relation Rules and Feeds
NoneThis will save the meta data to disk, and available to NetWitness Concentrator or Archiver for further storage or processing

Meta Key

Name of the key. (Max is 16 characters)

Meta Type

Type format of the value which can be: 

Int8, UInt8, Int16, UInt16, Int32, UInt32, Int64, UInt64, UInt128, Float32, Float64, TimeT, Binary, Text, IPv4, IPv6, MAC


IndexNoneDefault index level which provides no indexing.
IndexKeysProvides indexing at the key level (e.g., identify which sessions have values, but do not track the actual values.  This provides highly efficient exists or !exists queries, but slower queries for other operators such as the following: key = 'some value'
IndexValuesHighest indexing level. Provides the best performance for all query operators but also takes the most time to index and requires the most storage space.


This explains how a particular key should be used, to avoid any discrepancies.



RSA NetWitness uses Meta Keys as a way to retain context of the raw data after it is parsed and stored on disk. Hence, it is extremely important to parse out data into the most accurate Meta key to retain context that's needed for Threat Detection, Analytics and Response. The table below lists over 350 concepts that are available in RSA NetWitness.