RSA NetWitness^® Platform Discussions

ShahnawazKohati · ‎2019-03-05

Dear All,

I have injected custom logs under RSA SA for some old dates and trying to run report on the same using "event_time" meta.

Once logs uploaded, i can view current time in "time" meta and old time in "event_time" meta.

Copied the avro to the date folder i want report for but report appears blank.

For example:

On 5 Mar, i have inject logs of 05 Jan using nwlogplayer under Decoder. Logs populated under Conc properly like "time" meta reflecting 5 Mar and "event_time" meta reflecting 05 Jan. Now copied avro of 05 Mar and paste to 05 Jan and trying to run the report using "event_time" meta on 05 Jan time period.

Report appearing blank.

Need support on the same on how i can able to view logs or any suggestion which can help me to achieve it.

DaveGlover · ‎2019-03-05

Shahnawaz

The issue is when you inject the data into the system you loose the original collected date time

There are steps that I outlined in a diff post on how to do this.

I can get you the link shortly if you can’t find it

Dave

ShahnawazKohati · ‎2019-03-05

Please if you help me with the link or steps....it would be very helpful to me

DaveGlover · ‎2019-03-05

https://community.rsa.com/thread/198025

Have a look at that article

Let me know if you need any further help

Dave

RSA NetWitness® Platform Discussions

custom inject log report

RSA NetWitness^® Platform Discussions