.png?width=180&height=32&name=NW%20Logo%20(2).png){kind=small}
How to index NetWitness event.time metakey if required
Issue
A user wants to perform queries with exact matches against the Event Time (event.time) metakey, but the default indexing level will not allow it.
Resolution
If you need to index the event.time metakey so it can be queried more easily, then set it as IndexKeys rather than IndexNone with these steps :
- Navigate to Admin > Services > Concentrator > Config > Files Index-concentrator-custom.xml
- Add the following line below this message (
) :
<key description="Event Time" format="TimeT" level="IndexKeys" name="event.time" valueMax="0" /> - Press "Apply"
- Restart the Concentrator service from the Concentrator>System page with the "Shutdown Service" button
Notes
Technically it is possible to index event.time, but it creates problems with the index because having unique values created in your index will grow it massively, leading to performance issues as well as other side effects. However, you can still make use of the event.time meta in your reports when in the *select* clause (index is used only if you need something in the *where* clause).
Product Details
NetWitenss Product Set: NetWitness
NetWitenss Product/Service Type: Concentrator
NetWitenss Version/Condition: 11.x,12.x
Platform: CentOs,AlmaLinux
Approval Reviewer Queue
Technical approval queue