You can use meta groups to filter data displayed in an investigation. A fresh installation of NetWitness Platform includes built-in meta groups to help you find interesting data sets in Investigate. The built-in meta groups are prefixed with RSA for identification and can be duplicated but cannot be edited or deleted. You can create your own groups and you can duplicate and edit a built-in group to create a custom group. With a meta group in effect during an investigation, the information in the Navigate view and Events view includes only the meta keys in the selected group.
While the functionality of meta groups is similar in the Navigate view and the Events view, the user interface and some of the procedures are different.
Using options in the Events view Meta Groups menu (Version 11.5 and later) , you can:
- Select a meta group to apply.
- See the details of a meta group.
- Create, edit, and delete custom meta groups.
- Clone and edit the clone of a built-in or custom meta group.
Using options In the Navigate view Manage Meta Groups dialog, you can do all of the above as well as import and export a meta group. Refer to Use Meta Groups to Focus on Relevant Meta Keys for detailed information.
- How NetWitness Investigate Works
- Use Meta Groups to Focus on Relevant Meta Keys
- Filter Results in the Navigate View
Quick Look - Meta Groups Menu, Create Meta Group Dialog, and Meta Group Details Dialog
This section introduces the Meta Groups Menu, Create Meta Group dialog, and the Meta Group Details dialog. The following figure is an example of the Meta Group menu. The table describes the options.
|Visibility Options|| Control the types of meta groups that are visible in the list. You can use any combination of the visibility options: Private, Shared, or RSA (blue = selected, black = not selected). Initially none of the buttons are selected and all meta group types are visible. This is the same result as if all three buttons are selected. The visibility options work together with text in the Filter Meta Groups field. If the visibility option is hiding built-in groups (which include "RSA" in the group name) and you search for a name that contains "RSA," the list is empty. |
Private = display private groups that only you can manage
Shared = display shared groups that anyone in your organization can manage
RSA = display built-in groups that only RSA can manage
|Filter Meta Groups||Filters the list of meta groups as you type text so that only group names that contain the typed text are displayed.|
|Meta Group List||The list of meta groups consists of custom and built-in groups. Custom meta groups can be shared or private. The RSA meta groups are built-in meta groups; you cannot edit or delete these, but you can make a copy and edit the copy. Icons preceding the meta group name distinguish the private groups, shared groups, and built-in groups.|
|New Meta Group||Displays the Create Meta Group dialog, where you can create a custom meta group.|
The Create Meta Group dialog, shown in the figure on the left, allows you to define a custom meta group. The figure on the right illustrates the Meta Group Details dialog, in which you can edit a custom meta group. The table describes the fields and options in the dialogs.
|Creates a copy of the meta group so that you can edit a copy. This is useful if you want your own copy of a built-in group, a shared copy of a private group, or a private copy of a shared group.|
|Deletes the custom meta group that you are currently editing. This action is irreversible and applies globally. If the meta group is a shared group, it is no longer available to anyone.|
|Group Name||Displays the name of the meta group. The name must be unique and contain fewer than 64 characters. You can type in this field to edit the name in a custom meta group.|
|Sharing||Specifies whether the meta group is shared or private. This setting is available when you first create the group. After it is created, you cannot change a shared column group to private, or a private column group to shared.|
|Filter Meta Keys||Filters the Displayed Meta Keys and Available Meta Keys based on the text that you type. Only meta keys that contain the typed text are displayed.|
|Displayed Meta Keys||Displays a scrollable list of meta keys that are selected for use in the custom meta group. You can add meta keys in the Available Meta Keys list to this list, remove meta keys from this list , and drag meta keys up or down to change the order in this list (). Drag and Drop is disabled when text is typed in the Filter Meta Keys field. For each displayed meta key you can choose:|
|Available Meta Keys|| |
Displays a scrollable list of meta keys that are available (on the service) for use in the custom column group. You can add them to the Available Meta Keys list. Clicking next to the meta key name adds it to the Displayed Meta Keys list. You can also set the initial view of each meta key: Open, Closed, Hidden, or Auto (the default setting).
|Initial View Option||For each meta key, you can set the initial view option: |
-When set to Auto, the meta key is automatically loaded only if it is indexed, and non-indexed meta keys are Closed until opened manually. If you change the default view for a group of meta keys to Open and some of the meta keys are non-indexed, the non-indexed meta keys revert to Auto.
-Open meta keys are listed in the Filter Events panel, and the values are loaded.
-Closed meta keys are listed in the Filter Events panel, but the meta values are not loaded until you open the meta key.
-Hidden meta keys are not listed in the Filter Events panel at all. This is useful if you are using a single meta group for multiple purposes instead of creating several meta groups; you can turn off certain keys off without removing them from the meta group. You can also use the Hidden view when testing out some new keys or if you want to prepare a meta group with some new meta keys that are not yet available and would error out if in an Auto, Open, or Closed state.
|Allows you to drag and drop meta keys in the Displayed Meta Keys list so that you can see the data in the order you prefer.|
|Close button||Closes the dialog.|
|Save Meta Group||For the Create Meta Group dialog only, saves the new meta group.|
|For the Meta Group Details dialog only reverts the edited meta group to the last saved state.|
|Update Meta Group||For the Meta Group Details dialog only, applies changes to an edited meta group.|
|Select Meta Group||Applies the meta group. The Filter Events panel is refreshed to display only the meta keys in the selected meta group.|
Quick Look - Manage Meta Groups Dialog
The following figure is an example of the Manage Meta Groups dialog.
The Meta Groups panel is on the left side of the Manage Meta Groups dialog. This is where you can add, delete, import, and export meta groups. The following table describes the features of the Meta Groups panel.
|Adds a meta group using the Settings panel on the right side of the Manage Meta Groups dialog.|
|Deletes the selected meta group. A confirmation dialog is displayed before the meta group is deleted.|
Creates a copy of the selected meta group.
|Displays the Meta Group Import dialog, where you can upload a file.|
|Exports the selected meta group to your computer.|
|Group Name||Lists all meta group names.|
The Settings panel is on the right side of the Manage Meta Groups dialog. This is where you create and edit meta groups. Below the Name field is the Meta Keys list. The following table describes the features of the Settings panel.
|Name||Displays the name of the selected meta group.|
|Displays the Available Meta Keys dialog, where you can select meta keys to add to the group.|
|Deletes the selected meta keys.|
| Displays a drop-down menu, where you can select the view for all meta keys. There are four options based on the possible values for the |
|Display Name||Indicates the name that is displayed for the key in Investigate views, and is defined by the |
|Key Name||Indicates the |
|View|| Indicates the view to which the meta key is set. You can change: |
The following table describes the buttons at the bottom of the dialog.
|Close||Closes the dialog.|
|Cancel||Cancels all changes.|
|Save||Saves all changes.|
|Save and Apply||Saves and immediately applies all changes.|