Delay in seeing Events in the Investigation UI in NetWitness Investigate

Issue

Customer sees a delay in events in the NetWitness Investigate UI.

Cause

Events are being cached for up to 20 minutes before being displayed.

Resolution

Note: This value can be reduced to 0 or very low EPS environments, but should otherwise never be set below 5. This setting needs to be unified across all Brokers and Concentrators to avoid any inconsistencies on how events are displayed. 

On each core device (Broker or Concentrator), do the following:

1. Admin>Services>Broker|Concentrator\LogDecoder (Retention Log Hybrid Only)
2. Expand sdk\config
3. Set cache.window.minutes to the desired value
4. Press enter or click outside of the box to commit
5. Changes should be immediate
6. Repeat for all Brokers and Concentrators.

Internal Comments

UserName:shurtj
8/7/2014 8:37:17 PM - Updated Article
Changed audience to internal.

Evan Pols -- 30 Apr 2024
Adjusted name, applies to, rewrote for clarity.

Product Details

NetWitness Product Set: NetWitness Platform
NetWitness Product/Service Type: Broker, Concentrator, Retention Log Hybrid (LogDecoder service only)
NetWitness Version/Condition: 11.x, 12.x
Platform: CentOS 7,AlmaLinux

Approval Reviewer Queue

Technical approval queue