Archiver and startsession
It seems like archiver starts to aggregate since last known sessiond value. If aggregation was stopped several days seems like archiver will try to extract all this values. Is it possible somehow to reset last known value or manually set up it?
- Community Thread
- Forum Thread
- RSA NetWitness
- RSA NetWitness Platform
If I understand your question correctly you want to know how to start an archiver's aggregation at a specific time instead of whenever the last session was retrieved from the log decoder. If this is the correct question here is the answer to
Archivers have a switch in the Explore View -> Archiver -> Config called aggregate.hours. By default it is set to 0. This means that the archiver starts back as far as it needs to based on what the last session ID was. If you change the value of this option to say 1, then the archiver will only look back an hour and start pulling in data from the log decoders starting an hour ago. Unfortunately you cannot be more specific then how many hours back you want to consume. You can't say I want to start at a specific date and time.
Say you have an log decoder and archiver. The archiver runs into issues for whatever reason and it cannot aggregate data from the log decoder for several days. Once you have the archiver issue fixed you don't want to wait for the archiver to reconsume from the log decoder, for whatever reason. You find you aren't concerned about the last 48 hours of data that is on the log decoder you only want to start aggregating the immediate data onto the archiver. In that case you would go into the Archiver's Explore view -> archiver -> config -> aggregate.hour and set it to 1 and then the archiver will immediately start aggregating only what the log decoder picked up in the last hour and move forward from there. This pretty much means that any data captured by the log decoder between the time the archiver went offline until one hour before the archiver was brought online will not be contained within the archvier.
I hope this answers your question. If not please provide as much clarity as you can to where I went astray.