10.6 introduced a new CLI feature in NwConsole that allowed reporting with topquery. This neat command allows the parsing of the /var/log/messages file for query commands on brokers, concentrators and archivers to report on query performance. The is a very helpful command to dig into general analyst performance (best practices, poor syntax, optimization opportunities etc.) and hunt down slowness in the NetWitness Suite.
This is a sample line from the output of topquery
- the default size of 20 values is also used to load on the drill ( a give away that this is the investigate view and default settings)
There are lots of options to topquery and it can be very handy to run this during monthly reviews of the platform to review query operations and make sure bad habits arent creeping into the analyst workflows. One to be especially careful of is Investigate - advanced queries where the times are taking longer than normal to execute - check for queries on non index-values keys as this can create a major performance hit on the system.
Here is the help menu output from NwConsole - Topquery
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.