ESA rule - Search on raw
Sorry for the delay, was held up in few things.
The New Meta will show up in Investigation with values, when it receives new logs & it also takes sometime to reflect.
Can you check again & let me know if the Disposition meta is showing up now?.
I just did the same changes in my 11.2 lab & it works fine. here are the changes & screen shot from my Investigation using Log concentrator.
Table-map-custom.xml in Log decoder:
<mapping envisionName="disposition" nwName="disposition" flags="None" format="Text" envisionDisplayName="Disposition"/>
Index-concentrator-custom-xml in Log concentrator:
<key description="Disposition" level="IndexValues" name="disposition" format="Text" valueMax="1000" defaultAction="Open"
The line in 'Table-map.xml' file will be there and it does not affect our changes, because the flag is set as 'Transient'
<mapping envisionName="disposition" nwName="disposition" flags="Transient" format="Text" envisionDisplayName="Disposition"/>
For any Meta to be indexed, flag should be set to 'None' & this is the change we are doing in 'table-map-custom.xml' file.
Ok. so from that it is clear that there is not no need to update the parser & changes on decoder has taken effect.
I would suggest to do the below steps one more time to see if it resolves.
1. Restart nwlogdecoder service on the Decoder that sending logs to Concentrator.
2. Restart nwconcentrator service on the Concentrator that you are using for Investigation.
3. Wait for about 30 minutes & Inject new logs to Log decoder.
4. Go to Investigate & load the default Meta group to verify if the Disposition meta shows up.