Skip to content
  • There are no suggestions because the search field is empty.

How to Interpret the output of /index/inspect on an RSA Security Analytics concentrator

Issue

How to Interpret the output of /index/inspect on an RSA Security Analytics concentrator.

Resolution

Index inspect reports three types of information:

1) Summary statistics for the entire index
2) Summary statistics for each indexed meta key in each slice
3) Running total statistics the represent totals accumulated during the call to index inspect

The summary statistics for the entire index look like this:

[ session1=1 session2=26086885 meta1=1 meta2=229364382 size=4623363103 ]

This information is reported first.

The definition of each of these fields is as follows:
session1: The first session ID present in the index
session2: The last session ID present in the index
meta1: The first meta ID in the first session present in the index
meta2: The last meta ID in the last session present in the index
size: The total data size for all sessions present in the index


The per-key per-slice statistics look like this:

[ key=did pathname=/var/netwitness/concentrator/index/managed-values-16/did.nwindex
values=1 summaries=1 pages=0 sessions=17 size=8408 packets=17 summary1=23753
summary2=23753 session1=26086869 session2=26086885 ]

The definition of each of these fields is as follows:
key: The meta key name
pathname: The file system location of the value map data for this index
values: The number of unique values for this meta key type in this index
summaries: The number of summary objects allocated by this index in the summary database
pages: The number of page objects allocated by this index in the page database
size: The total data size of sessions that were indexed by this index
packets: The total number of packets in sessions that were indexed by this index
summary1: The ID of the first summary database object allocated for this index
summary2: The ID of the last summary database object allocated for this index
session1: The ID of the first session indexed by this index
session2: The ID of the last session indexed by this index

The inspect call summary looks like this:

[ totalKeys=124 totalValues=37 totalMemory=260077776 ]

This information is always reported last.

The definition of each of these fields is as follows:
totalKeys: The number of keys currently present in the index language, including keys that did not get indexed.
totalValues: The number of unique values present in the slices traversed during this index inspection
totalMemory: A very rough approximation of the memory used by the slices traversed during this index inspection.



Notes

Output example:

[ session1=1 session2=26086885 meta1=1 meta2=229364382 size=4623363103 ]
[ key=did pathname=/var/netwitness/concentrator/index/managed-values-16/did.nwindex values=1 summaries=1 pages=0 sessions=17 size=8408 packets=17 summary1=23753 summary2=23753 session1=26086869 session2=26086885 ]
[ key=msg.id pathname=/var/netwitness/concentrator/index/managed-values-16/msg.id.nwindex values=5 summaries=1 pages=1 sessions=14 size=7223 packets=14 summary1=23745 summary2=23745 session1=26086869 session2=26086885 ]
[ key=medium pathname=/var/netwitness/concentrator/index/managed-values-16/medium.nwindex values=1 summaries=1 pages=0 sessions=17 size=8408 packets=17 summary1=23718 summary2=23718 session1=26086869 session2=26086885 ]
[ key=category pathname=/var/netwitness/concentrator/index/managed-values-16/category.nwindex values=3 summaries=1 pages=1 sessions=14 size=7223 packets=14 summary1=23737 summary2=23737 session1=26086869 session2=26086885 ]
[ key=event.desc pathname=/var/netwitness/concentrator/index/managed-values-16/event.desc.nwindex values=6 summaries=1 pages=1 sessions=14 size=7223 packets=14 summary1=23740 summary2=23740 session1=26086869 session2=26086885 ]
[ key=event.type pathname=/var/netwitness/concentrator/index/managed-values-16/event.type.nwindex values=1 summaries=1 pages=1 sessions=14 size=7223 packets=14 summary1=23735 summary2=23735 session1=26086869 session2=26086885 ]
[ key=device.type pathname=/var/netwitness/concentrator/index/managed-values-16/device.type.nwindex values=3 summaries=1 pages=0 sessions=17 size=8408 packets=17 summary1=23720 summary2=23720 session1=26086869 session2=26086885 ]
[ key=device.host pathname=/var/netwitness/concentrator/index/managed-values-16/device.host.nwindex values=1 summaries=1 pages=0 sessions=17 size=8408 packets=17 summary1=23751 summary2=23751 session1=26086869 session2=26086885 ]
[ key=reference.id pathname=/var/netwitness/concentrator/index/managed-values-16/reference.id.nwindex values=5 summaries=1 pages=1 sessions=14 size=7223 packets=14 summary1=23727 summary2=23727 session1=26086869 session2=26086885 ]
[ key=event.source pathname=/var/netwitness/concentrator/index/managed-values-16/event.source.nwindex values=5 summaries=1 pages=1 sessions=14 size=7223 packets=14 summary1=23731 summary2=23731 session1=26086869 session2=26086885 ]
[ key=device.class pathname=/var/netwitness/concentrator/index/managed-values-16/device.class.nwindex values=2 summaries=1 pages=1 sessions=14 size=7223 packets=14 summary1=23724 summary2=23724 session1=26086869 session2=26086885 ]
[ key=event.cat.name pathname=/var/netwitness/concentrator/index/managed-values-16/event.cat.name.nwindex values=2 summaries=1 pages=1 sessions=14 size=7223 packets=14 summary1=23749 summary2=23749 session1=26086869 session2=26086885 ]
[ key=time pathname=/var/netwitness/concentrator/index/managed-values-16/time.nwindex values=2 summaries=1 pages=0 sessions=17 size=8408 packets=17 summary1=23716 summary2=23716 session1=26086869 session2=26086885 ]
[ totalKeys=124 totalValues=37 totalMemory=260077776 ]



Internal Comments

UserName:shurtj
8/7/2014 5:09:25 PM - Updated Article
Updated article and made changes to abide by Primus best practices.


Product Details

RSA Security Analytics
RSA Security Analytics Concentrator
INTERNAL ONLY !!!!