Skip to content
  • There are no suggestions because the search field is empty.

How to use the not begins operator in Netwitness Reporting Engine query

Issue

When writing a query only the following operators are available
  • =
  • !=
  • begins
  • contains
  • ends
  • exists
  • !exists
  • length
  • regex
If you want to do a query that is a negative of one of these, for example 
  • not begins
  • not contains
  • not ends
Then there is no operator available for this. The reason for this is that such an operator would be very computationally expensive and performance would be very slow. There is however another way.

Tasks

To solve this issue create an app rule that will tag the meta that you are interested,

For example, suppose you wanted to find all destination usernames that did not begin with foo.
You can create an app rule on your logdecoder as follows
  1. SA GUI -> Services -> Log Decoder ->Config
  2. App Rules Tab
  3. Create an App Rule with Rule Name "Account Begins with Foo"
  4. Condition is user.dst begins foo
  5. Sessions Options - Tick Alert and Alert on metakey "Alert"
  6. Apply the App Rule
Any usernames that begin with foo will now have the Meta "Account Begins with Foo" in the Alert metakey



Resolution

Instead, you could create an app rule that flags wildcard strings and then refer to that app rule with a NOT (!=) operator in the report query.

In your report, use the following in your rule to display all usernames that do not begin with foo.

select: user.dst
where alert != '"Account Begins with Foo"


Product Details

Product Set: Netwitness Admin Server
Product/Service Type: Netwitness Admin Server, Reporting Engine
Version/Condition: 11.x, 12.x
O/S Version: CentOS/AlmaLinux


Approval Reviewer Queue

Technical approval queue