we're using SA for log, we identified a few devices(device.ip meta) which we want to use feed, tried to create the feed using csv (without xml definition), but there is no values, checked the documents, seems it can only reference to ip.src or ip.dst? how to make it refrence to device.ip?
Or is there any steps missing?
Below is the sample csv:
- Community Thread
- Forum Thread
- RSA NetWitness
- RSA NetWitness Platform
I try to create a custom feeds with metacallback for tell device.ip but i can't do it.
You can tell me how are you doing for that please ? Because my CSV and xml don't work and i don't find the reason
i post this question on forum How create a custom feed with "device.ip" (MetaCallback) but i explain the case :
My custom meta work with another feed. But Only meta "ip.src" or "ip.dst" is considerate for the indexation with a feed on CIDR. I read in forum or RSA documentation that custom xml with "metacallback" attribut allows to select another meta for indexing, but I can't ...
May be is my xml file or a bad practice ? I try 2 xml with <MetaCallback> but nothing. What do you think, Can you help me please ?
- My meta is in "index-concentrator-cutom"
- My XML and my CSV File :
or i try like that :
- My CSV :
- I have restart the nwconcentrator service but nothing :
thank for your read