Hi, I am trying to generate custom feeds for netwitness
Issue: I want to add a meta fields (device.domain) depending on the ip address from the log.
Each log has ip address in it. But i also want to add device name meta field
<key description="Device IP" level="IndexValues" name="device.ip" format="IPv4" valueMax="100000" defaultAction="Open"/>
For new mata. I have added a filed in index-concentrator-custom.xml
<key description="domain" name="device.domain" level="IndexValues" format="Text" valueMax="0" defaultAction="Open" />
My feed definition looks like
<?xml version="1.0" encoding="utf-8"?> <FDF xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="feed-definitions.xsd"> <FlatFileFeed name="Domain name" path="domainmap.csv" separator="," comment="#"> <LanguageKeys> <LanguageKey name="device.domain" valuetype="Text"/> </LanguageKeys> <Fields> <Field index="1" type="index" range="cidr"/> <Field index="2" type="value" key="device.domain"/> </Fields> </FlatFileFeed> </FDF>
Then create the csv file
|#IP address Domain|
Compiled the feed from netwitness console
> feed create feed-definitions.xml Creating feed Domain name... done. 0 entries, 24 invalid records All feeds complete.
I got some invalid record message. Not sure about this.
Then copied the new .feed file to desktop and added the feed from Security Analytics. Uploaded the feed
After this. Restarted both decoder and concentrator services. And many logs with device.ip meta were sent to decoder.But devoce.domain meta is empty under investigator. Since investigator in Security analytics is slow. I also tried to get the data over rest API. But no data for device.domain meta field.
Did i miss some steps to push the custom feed? Or anything wrong in feed definitions?
Message was edited by: dheerajjoshim