Question on Netwitness custom parser
Recently, I configured a new custom parser for a customer, and successfully modified all index-concentrator-custom, index-logdecoder-custom and table-map-custom files, across three separate concentrators and log decoders, to include 4 new metakeys. Restarted concentrator and log decoders processes, and new parser showed up fine, and metas are available for investigate meta groups.
However, when using the investigate screen and selecting broker to query the meta information, I got a lot of metas, and not only the ones I created (but those included too), showing the following message on investigate screen instead of their values:
SDK-Values fieldname XXXX is not defined for device xx.xx.6.83:56005.
But if the device for investigate is the concentrator directly instead of broker, then no message is displayed and all meta values are shown correctly.
Is there any additional configuration that I may have overlooked for installing the custom parser on the decoders, so the query works on broker also? Does broker need any specific configuration as index-xxx-custom files?
Thanks for any help you can provide,
- Community Thread
- custom parser
- Forum Thread
- Query Error
- RSA NetWitness
- RSA NetWitness Platform
The broker queries the concentrators for their meta keys to build it's own list. It's not immediate and will take some time. You could try restarting the broker.
Other than that you're just going to have to wait for the cycle to run.
You did not do anything wrong in the configuration, this is just how it works.
Thanks for your message! So, how long is that cycle you mention? Just to have an idea on how much time it may take before this list is updated...
In the scenario where a Broker is aggregating from multiple concentrators and one of the concentrator has custom meta indexed and other has no custom meta indexed. The aggregating broker displays "SDK-Values fieldName X not defined" in the investigate page.
I recommend that you maintain the exact same configuration across your concentrators. It makes the configuration management easier.
I know that this is not ideal for some architectures especially MSSP ones, so probably we will have to come up with a better way to manage index configuration files.