I have got a problem with the investigation tab.
When I go in the investigation tab, I can't browse the data because all data are gray.
I suppose that the problem is about the index.
Can you help me and give me some advice to solve this issue?
Have a good day
- Community Thread
- Forum Thread
- RSA NetWitness
- RSA NetWitness Platform
I had same problem without apparent cause a few days ago.
Restarting didn't help, so I tried to re-index data. After re-indexing have been done (as I can see in logs) it seems to be same as before, so I waited a few more hours and then everything become OK =-O
Support didn't found anything in logs, so I can just hope that will never hapen again...
Please send the "df -h" output for the entire appliance.
I assume you have restarted the jettysrv service on the SA Server, and restarted the nwconcentrator service on the Concentrator. If not, do so, and watch the /var/log/messages file as the nwconcentrator service starts and checks the index files. Send anything from the log that looks interesting.
Also, let me know whether you are able to investigate against the Broker or another Concentrator?
If you have the thick client Investigator, try to use it to investigate against the appliance. This will help determine whether this is a WebUI problem or an index problem.
You could reset the index on the Concentrator but that could take 30 hours or more on a Concentrator with a single DAC.
If you decide to reindex the Concentrator, tail -f /var/log/messages to check the status of the reindex and estimated time to complete. It is clearly logged during the reindex.
There are knowledgebase articles on how to reset the index on appliances.
Look for kb 26957 and 26621 on SCOL to explain how to index reset the appliance.
Hope this helps.
maybe you can re-index your metakeys it always help
Go to Service---Explore ---- right click on broker
It will show Properties for Broker
Select reset and in the parameters set index=1
and then send.
You can look at the messages log to see if it finished.
There's nothing wrong with your system. You opened a report that is not indexed. You cannot drill on reports that are not indexed because it's the equivalent of a table scan over (typically) billions of rows.
If device.type is something you want to drill on, then you need to edit the index-concentrator-custom.xml on every concentrator and make sure IndexValues is the default index level. Concentrator ships with device.type indexed at the value level by default, so you must have set it to IndexNone in your custom file and overridden the default.
Please do not edit the index on your log decoder. Log Decoders should not be indexing any values. The Concentrators are your query engine.