Skip to content
  • There are no suggestions because the search field is empty.

In RSA NetWitness version 11.3.x, queries in Investigate > Navigate are automatically modified

Issue

When attempting to run a query in Investigate > Navigate within the RSA NetWitness UI and pressing "Apply," the query is automatically modified to a different query that was not originally entered and provides different data.


Workaround

This workaround is due to whenever a query is executed that is automatically modified, it fetches the incorrect ID for that query from the list within the URL Integrations page, which is why the query is modified.
  1. On node zero, log into mongo.
    mongo admin -u deploy_admin -p <password>
  2. Display the list of databases and choose the investigate-server database.
    > show dbs
    > use investigate-server
  3. Run the following command, which will retain any old queries previously ran in Investigation. However, if you have previously bookmarked any URL's from Investigation, such as "https:// /investigation/18/navigate/values/1284", the bookmarks will no longer be valid, as the ID's associated with the old queries (in this example: 1284) will not work. 
    > db.getCollection('predicate').updateMany({}, {$unset: {"legacyId": ""}})

     

Notes

If this does not solve your issue, please  open a case with RSA Technical Support and reference this article so that we may better assist you.

Product Details

RSA Product Set: NetWitness Logs & Network
RSA Product/Service Type: NetWitness UI
RSA Version/Condition: 11.3.x
Platform: CentOS
O/S Version: 7

Summary

When attempting to run a query in Investigate and pressing Apply, the query is automatically modified to a different query that was not originally entered and provides different data.


Approval Reviewer Queue

RSA NetWitness Suite Approval Queue