When investigating against a device, the "Unable to Drill Down Error" is displayed after upgrading from 18.104.22.168 or when a submitted query is completely altered after hitting Apply in Investigation.
This problem appears to affect customers who were previously on version 10.6 at one point and have updated to 22.214.171.124.
A possible cause of this error is due to a couple of index counters in the Mongo Database being reset as a result of the upgrade. The counter normally increments as users create queries in Investigation but after the upgrade the number has reset its self. As we try to create new queries in the system, it attempts to use a index value that already exists, thus throws an error that can be seen in the /var/netwitness/uax/logs/sa.log file on the Admin Server.
The below includes all of the commands you would need to unzip, stop jetty, execute the provided script, and then start the UI back up.
[root@nwadmin1 ~]# unzip syncCounters.zip
[root@nwadmin1 ~]# systemctl stop jetty
[root@nwadmin1 ~]# mongo admin -u deploy_admin syncCounters.js
MongoDB shell version v3.6.4
connecting to: mongodb://127.0.0.1:27017/admin
MongoDB server version: 3.6.4
Max user predicate id is 41
Updating user predicate counter to 42
Max predicate id is 41
Updating predicate counter to 42
[root@nwadmin1 ~]# systemctl start jetty
This option is available to customers who cannot use the script or would rather prefer to do it manually. This article will walk you through how to reset the predicate and userPredicate table counters to the appropriate value.
First off, you should stop jetty to ensure that no users continue to make queries while we make our changes. Please note that by doing this you are stopping the User Interface.
systemctl stop jetty
Export a copy of the collection we are going to modify just in case a mistake is made so that we can restore. Note, the password for you database is your deployment password. In my case, it is "netwitness".