I’m having trouble with a few fields while using the native parser of Arbor Peakflow SP. I have created a few Log Parser Rules but as noted, they do not override any meta that has already been parsed in the original parser. Any idea on how to get NetWitness to correct these metakeys without having to write a create a custom parser with Log Parser Tool?
One example I found, while trying to parse the alert #, I found that in some events, the information come along with the metakey “node” (image 1). Even after creating the log parser rule to look for alert #, the information gets parsed as it was configured in the original parser (image 2).
I have an active subscription and deployed that latest parser, but it was last updated in 2017. Any thoughts on how to either get RSA to update this parser or how I can correct these metakeys without having to create a custom parser?