Skip to content
  • There are no suggestions because the search field is empty.

How to enable indexing for size meta key in NetWitness

Issue

When size meta key defined in index-concentrator-custom.xml file, the concentrator gets initialization error as below.

/var/log/messages:
Mar 31 07:02:25 ConcentratorA NwConcentrator[73296]: [Engine] [failure] Module concentrator failed to load: Size meta indexes must be bucketed
Mar 31 07:02:25 ConcentratorA NwConcentrator[73296]: [Engine] [failure] Module concentrator failed to load: Diagnostic information: Throw in function nw::ManagedIndexPagesPtr nw::{anonymous}::syncLanguageToManagedLanguage(nw::PageSlices&, nw::ManagedIndexPageMap&, nw::AtomicSharedPtr<const nw::PerKeyStats>&, const nw::Language&, const SliceCacheMap&)Dynamic exception type: boost::exception_detail::clone_impl<nw::Exception>std::exception::what: Size meta indexes must be bucketed[boost::errinfo_at_line_*] = 203

Tasks

This issue is due to the bucket requirement for size key definition as this key contains numerous integer values.

Resolution

Please define index definition using the below line in index-concentrator-custom.xml .



Then stop Aggregation in Concentrator->Config page and restart concentrator service using below command.

systemctl restart nwconcentrator.service

More details on bucketing available in Numeric Bucketing .

Product Details

RSA Product Set: RSA NetWitness Platform
RSA Product/Service Type: Core Appliance
RSA Version/Condition: 11.5.1.0
Platform: CentOS
O/S Version: 7

Summary

This document outlines the procedure to enable Indexing for size meta key.


Approval Reviewer Queue

Technical approval queue