NetWitness Entity checksum.all has a non-matching index level for referenced key checksum.src Error Occurred When Querying in Investigate Events

Issue

User cannot query anything in Investigate Events view.  Each query item, regardless of the query, displays "Entity checksum.all has a non-matching index level for referenced key checksum.src". 

Cause

checksum.all is an entity in the concentrator and it includes the following keys in index-concentrator.xml.

 

We recommend that all the keys in the entity must be indexed at the same level. If not, this issue would occur.

For example, checksum.src and checksum.dst are indexed as "IndexValues" in index-concentrator.xml

but checksum is indexed as "Indexkeys" in index-concentrator-custom.xml:
In this case, the index level of checksum should be changed to "IndexValues"

Note: This can happen with any meta entity.

Resolution

 

1. Modify the index level of checksum, checksum.src or checksum.dst in index-concentrator-custom.xml file.
2. After making sure all the keys have the same indexing level, either of the following steps can be performed:
   1. Option #1 (Recommended) : Navigate to Explore page of the concentrator. Right click "index" node and click "properties". Select "save" from dropdown and click send. This should make the changed index effective.
   2. Option #2 : Restart the concentrator service.

This should resolve the error: "Entity checksum.all has a non-matching index level for referenced key checksum.src"

Note: In broker index, no changes are required. Change the index-concentrator-custom.xml in all concentrators connected to the broker.

Product Details

RSA Product Set: NetWitness Platform
RSA Product/Service Type: Concentrator
RSA Version/Condition: 11.x, 12.x
Platform: Centos 7 / AlmaLinux 8.9

Approval Reviewer Queue

Technical approval queue