Change query.level.1 value
I have a report fails with error message: The query was auto-canceled by the system for exceeding time usage limits. The user already has set "query.level.1", as the report need more than 60 minutes to be done, How can I change the maxvalue of "query.level.1"?
- Community Thread
- Forum Thread
- Reporting Issue
- RSA NetWitness
- RSA NetWitness Platform
What you should actually be trying to do is get the query to run within the 60 minute window. What is the where clause you are running for your report? Are all the meta keys in the where clause indexed? Over what time period are you attempting to run the report?
It is very important that all reports and alerts are optimized to run on the environment as fast as possible to avoid over stressing the environment. Sometimes it is a simple as selecting the correct indexed meta. If that isn't possible then making adjustments to query levels is next. What version of Netwitness are you using as this can affect the instructions for query level changes.
In addition to what Jay mentioned. You also can create decoder rules to tag data to be used in reporting. This would change a complex query into something much simpler. If you can provide the select and where statement we can help you further.
The query that I try to run is:
We want to know the last login of user in the last 3 or 6 months. Have to work with event.time instead time meta because sometimes the collecting time has delay of days.
This issue is the CONTAINS in your statement, That has to do a regex like search of the domain meta data. This can take a very very long time. If you expect to run this kind of report all the time you should put the entire where clause into an application rule on the log decoders. Then set it to alert to a meta language key like alert.
So lets say you create an application rule called External Domain Search, You would put the where clause and place it into the condition box. Then under Session Options you select Alert. Then under Alert On you select the language key you want your meta (the app rule name) to show up in. For our example we'll use alert.
So from now on any you can use this new meta name (External Domain Search on the alert meta key) on any data from when you enabled the app rule going forward. In your Report Rule you would change the where clause to alert='External Domain Search' and you're done. This would keep the reporting engine from having to context search the domain key along with comparing the rest of the items in your where clause.
As mentioned before this only helps you going forward not anything that has already been captured by the system. query.level.1 option should have been deprecated as of 10.5.x. What version are you currently running? This level should be coming from the user that you used to connect the Reporting Source to the reporting engine. You can find the SA Core Query Level under Administration -> Security -> Roles. You then need to edit the role that is assigned to the user account that was used for connecting the Reporting Sources. You'll see is says 1. There are three levels and are associated with specific time outs. These are the old way of doing timeouts in Netwitness. The only place you can see what these levels actually correspond to is by going to the Explore view of the individual services, like the broker, concentrator or decoder.If you go into the Explore view I think you would need to look under sdk -> config and you should see the three query levels and the number of minutes allocated for each. As my lab is on 10.6.5 I do not see them so I can't be exactly sure where they are.
Another way you may be able to address this is to go back to Administration -> Security -> Users and edit the user you are using to connect the Reporting Sources. Under the User's Attributes tab there is a SA Core Query Timeout. This is in minutes and will override the query level timeout.
I hope this helps.