This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

RSA NetWitness® Platform Discussions

Discussions about the RSA NetWitness Platform.
RSAAdmin
Beginner
Beginner
‎2013-09-23 06:54 AM

Deleting a custom feed from Decoder

Jump to solution

Hi, I have created a custom feed. Now I have deleted few entries from CSV file. then re uploaded the feed file and reloaded the parser.

But still i am able to see meta is being created for deleted entries from CSV.

 

Say My CSV has 3 entries. And i have a 3 entries in Meta called Name viz name1 name2 name3

192.168.1.1 name1
192.168.1.2 name2
192.168.1.3 name3

 

I have edited my CSV by deleting last entry. Now CSV looks like

192.168.1.1 name1
192.168.1.2 name2

 

I have recreated the feed and uploaded it to decoder and reloaded the parser.

But even after this i can see logs from 192.168.1.3 being stored under meta name3

Isn't uploading new feed with removed entries makes decoder not to create any meta for name3?

 

Regards

DJ

0 Likes
Reply
1 Solution

Accepted Solutions
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2013-10-06 11:07 AM

Jump to solution

You can delete a feed thru the REST API with /decoder/parsers?msg=feed&filename=<feed_filename>&op=delete

 

You can also grab logs using the REST API:

 

/logs?msg=pull

/logs?msg=download&time1=<start time>&time2=<end time>

View solution in original post

0 Likes
Reply
5 Replies
KhalilOmarConsu
Beginner
Beginner
‎2013-09-23 11:29 PM

Jump to solution

I think you need to wait until the new feed comes into effect, or perhaps check your investigation schedule whether your querying the latest information with the latest feed or from the past with the old feed in effect.

 

I hope that helps a little to shed light into it.

 

Cheer

0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to KhalilOmarConsu
‎2013-09-23 11:34 PM

Jump to solution

Looks like the feed was not uploaded properly. I had to wit for some time to get the feed applied.

 

Regards

DJ

0 Likes
Reply
KhalilOmarConsu
Beginner
Beginner
In response to RSAAdmin
‎2013-09-23 11:40 PM

Jump to solution

The only way to check when the feed is successful is to look at the /var/logs/messages in the decoder and grep <name of feed> check whether there was an invalid entries.  Another is to look at the explorer files under decoder->parsers->feeds your feed should have some numbers in the entries amounting the number of lines in the feed.

 

Cheer

0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to KhalilOmarConsu
‎2013-09-23 11:43 PM

Jump to solution

The problem i am having is I execute the feed upload over REST interface. So i cant check logs on decoder.

 

Regards

DJ

0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2013-10-06 11:07 AM

Jump to solution

You can delete a feed thru the REST API with /decoder/parsers?msg=feed&filename=<feed_filename>&op=delete

 

You can also grab logs using the REST API:

 

/logs?msg=pull

/logs?msg=download&time1=<start time>&time2=<end time>

View solution in original post

0 Likes
Reply
© 2021 RSA Security LLC or its affiliates.
All rights reserved.