This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA NetWitness® Platform Discussions

Discussions about the RSA NetWitness Platform.
RSAAdmin
Beginner
Beginner
‎2014-08-01 07:18 AM

operator != not working in Netwitness REST API

Hi,

 

I am using netwitness REST API to fetch meta data.

and i found that operator != is not working

 

I am trying to pull the meta data where service is not ssl

when i try below, It is taking huge time and returning useless content with no filters a i have provided

      $query .= '&&service!=443',

as a work around, i had to use below filter which worked

     $query = '&&service=0-442,444-u'

 

$link = "http://$NW_SDK_IP/sdk?msg=values&force-content-type=text/xml&expiry=300&size=500&fieldName=$output&w...".uri_escape($query);

 

Can you please verify the problem and fix.

 

Thanks,

Uma Mahesh

Reply
3 Replies
RSAAdmin
Beginner
Beginner
‎2014-08-04 04:31 PM

Your "fix" may be the preferred way of doing it anyway.  I find inequality comparisons against the DB to be extremely costly (resource intensive) and try to avoid them whenever possible, though they work fine in app rules and "real-time" comparisons.

 

I'm not a NW/SA developer, but in my experience any inequality comparison against the DB that you can rewrite into an equality comparison is probably going to be faster.  I've even gone so far as to generate meta from an app rule that does the inequality comparison (i.e. name=not_rfc1918 / ip.src!=10/8,172.16/12,192.168/16), and then you can do an equality comparison against that generated meta (alert=not_rfc1918) to find the same dataset.

0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2014-08-07 11:03 AM

Doug is correct, his technique of using alerts in this way is highly recommended. 

 

There was a bug in 10.3.0 - 10.3.2 that caused != to produce incorrect results for some queries, though it's resolved in the latest releases.

0 Likes
Reply
ChristopherAhea
Employee
Employee
‎2014-08-15 10:45 AM

It's been a while but the last time I tried doing this, I had to place some of that text inside of quotes that would be passed as arguments.  I have a python script that basically was designed to pull pcaps but the url construction is basically the same.

Preview file
4 KB
0 Likes
Reply
© 2020 RSA Security LLC or its affiliates.
All rights reserved.