Some values are indexed while others are not within the same meta language key for RSA NetWitness
RSA Product Set: Security Analytics (10.5.x, 10.6.x), Netwitness for Logs and Network (11.x) RSA Product/Service Type: SA Server (10.5.x, 10.6.x), Admin Server (11.x) RSA Version: 10.5.x and higher Platform: CentOS 6, 7
When a customer drills down on a meta key result, some times that value may not be found even though other values exist.
One possible reason is the index space available for the meta value has reached the maximum number of unique values (valueMax) within the index memory slice of the investigation/report.
If the meta key level is set to "IndexValues" in the index-concentrator.xml or index-concentrator-custom.xml, then increasing the "valueMax" parameter for the meta key will increase the number of unique values that can be captured and displayed.
Note: It is important to realize that valueMax values should not be pushed to a larger number than is required for the key. Default valueMax arguments are designed as a failsafe to keep indexes from growing to an unmanageable size.
Caution: Setting IndexValues keys to very high levels can have a significant impact on performance - It is strongly recommended that no key should be bigger than 5,000,000 and only a handful (if necessary) are set at more than a million. If it is believed that there is a need to configure several language keys over 2.5 million, carefully review the keys to determine if there is a better option (such as an application rule or configuring the keys to be "IndexKeys"). Keys set as "IndexKeys" do not have a valueMax setting as they take up less space in the indexes but come with their own pros and cons which is beyond the scope of this article.
Contact Netwitness Customer Support with any questions.