ESA Rule Syntax Error when using the meta index to lowercase

Issue

Whenever the customers create an ESA Rule using the Rule Builder or Advanced EPL with the index.toLowerCase they receive a syntax error;

For example, the below sample rule generates an Error -  Syntax error in module. Incorrect syntax

Sample Rule - 
Error -  

Index is listed as a string in the meta key definitions. 

The main reason for this behavior is that index is a keyword in EPL, so it cannot be used as a meta parsed in lowercase.

Resolution

A workaround is available for RSA NetWitness Platform version 11.3.x onwards, If a customer wants to use index meta with lowercase functionality they can declare 'index' meta under 'lowercase' field in the Correlation Server Explore view and use 'index_lower' in the ESA rule which will have a lowercase value of index meta. It is always recommended to identify the meta that needs lowercase functionality and add it under lowercase field to improve the performance.  

Steps to add index meta to lowercase - 

1. Navigate to Admin-> Services-> ESA Correlation ->Explore 
2. Under Explore go to correlation->stream and add meta (in this case index) under lowercase field 
3. Go to Configure->ESA Rules->Settings ->Meta Key References and click on 'Meta Re-sync ' button 

Then edit the ESA rule and use  'index_lower' instead if 'index' as the meta key.

An ESA Rule with the above workaround will be shown as  - 
 

Product Details

RSA Product Set: RSA NetWitness Platform
RSA Version/Condition: 11.3.x, 11.4.x

Approval Reviewer Queue

RSA NetWitness Suite Approval Queue