operator != not working in Netwitness REST API
I am using netwitness REST API to fetch meta data.
and i found that operator != is not working
I am trying to pull the meta data where service is not ssl
when i try below, It is taking huge time and returning useless content with no filters a i have provided
$query .= '&&service!=443',
as a work around, i had to use below filter which worked
$query = '&&service=0-442,444-u'
$link = "http://$NW_SDK_IP/sdk?msg=values&force-content-type=text/xml&expiry=300&size=500&fieldName=$output&w...".uri_escape($query);
Can you please verify the problem and fix.
Your "fix" may be the preferred way of doing it anyway. I find inequality comparisons against the DB to be extremely costly (resource intensive) and try to avoid them whenever possible, though they work fine in app rules and "real-time" comparisons.
I'm not a NW/SA developer, but in my experience any inequality comparison against the DB that you can rewrite into an equality comparison is probably going to be faster. I've even gone so far as to generate meta from an app rule that does the inequality comparison (i.e. name=not_rfc1918 / ip.src!=10/8,172.16/12,192.168/16), and then you can do an equality comparison against that generated meta (alert=not_rfc1918) to find the same dataset.
Doug is correct, his technique of using alerts in this way is highly recommended.
There was a bug in 10.3.0 - 10.3.2 that caused != to produce incorrect results for some queries, though it's resolved in the latest releases.