AnsweredAssumed Answered

detailed.stats not taking effect

Question asked by RSA Admin Employee on Nov 6, 2014
Latest reply on Nov 7, 2014 by RSA Admin

Hello,

 

For our rather large netwitness 9.8 infrastructure, I have written quite a few scripts.  One of which is intended to audit the various feeds, parsers, etc - ensuring that each decoder has deployed what we intend it to have.  I use the "REST" API (it's not truly REST, but hey it works...) to accomplish this and many other things.  The only way (that I know of) to enumerate the parsers for each decoder is to set the variable /decoder/parsers/config/detailed.stats to "on", wait a few seconds while the list populates, then look at /decoder/parsers/definitions to see the list.  with detailed.stats set to the default "off", the URL /decoder/parsers/definitions gives a 404.  with it "on" that URL gives a list of queryable nodes.  after polling, I return the variable to its original "off" state to conserve resources.  Works great, and has for the past couple of years.

 

Recently, I've noticed that some of our decoders (9.8.5.x) are either silently ignoring the value of detailed.stats, or are silently failing to populate that list.  I can see in the logs "user has changed detailed.stats to 'on'", etc.  I can verify that the variable is indeed set to "on" as it should be, but /decoder/parsers/definitions still results in a 404.  I've tried waiting several minutes, even several hours for the list to populate, but it never does.  Service restarts, even a reboot, nothing seems to make this bit start working again.  The obvious course of action is to look for something that changed between working and not working... but from what I can tell, nothing has changed.

 

So - has anyone run across this before?  Any recommendations for a fix?  Thanks in advance!

 

Josh

 

edited to add: some of our decoders, running the exact same 9.8.5 release, work as expected.  there seems to be no rhyme nor reason for which ones have developed this little quirk.  it is currently affecting only a few decoders.

Outcomes