In rare cases, you may see a different result between "Go to event in Event Reconstruction" and querying specific sessionid in Investigate.
Here are the details:
From Investigate > "Go to event in Event Reconstruction", searching for eventID "234994693505", you are able to see the result as shown below. Image description
From Investigate > "Go to event in Event Analysis", searching for eventID "234994693505", but it displays an error message as shown below. Image description
When using query "sessionid=234994693505", it displays "No data to display" as shown below. Image description
From Broker-explore-sdk deviceId, it displays "No device mapping exists". Image description
When exporting pcap this session, its actual size is 0byte. Image description
In summary, this problematic session only can be retrieved via "Go to event in Event Reconstruction".
Sometimes the Broker can complain about the ranges out of sync with the Index/MapDB. When the ranges are out of sync, you may face this problem on the investigation/events page. When ranges are out of sync, you are not able to query properly in the broker.
You can try the following procedures to fix this issue.
Go to the Explore page of "Broker".
Right Click "Broker" node and select "Repair" from the dropdown.
Click Send. This would take a few seconds to a few minutes.
Check if the issue persists on the Broker. This step would not cause any data loss. This would eventually correct the mapping in the broker. Restarting Service is not required.
But if the procedures above do not work, you need to perform the following procedures.
SSH to the Broker Appliance.
Turn off the Broker Service (service nwbroker stop). Before proceeding further, check the status of the service (service nwbroker status). The status should not be deactivating / running / active.
Go to the Folder: "/var/netwitness/broker/index"
Map DB files would be present.
Backup the Files in this folder to any backup location.
Make Directory "mkdir /root/broker-mapdb/"
Go to the folder "/var/netwitness/broker/index"
Move all the files "mv * /root/broker-mapdb/ -vv"
Check if all the files are moved to the backup location.
Start the Broker Service.
Post starting the service, remove, and re-add the devices in the Broker Configurations. *Note: Back up process is very important. If there is any issue in regeneration, only recovery process is to restore the backed up files.
Once done, you are now able to query via "Go to event in Event Reconstruction" with problematic sessionid which means it syncs with the Index/MapDB in the broker.