Skip to content
  • There are no suggestions because the search field is empty.

Query result has a limitation of 10,000,000 sessions retrieved in RSA NetWitness Reporting Engine

Issue

The maximum number of sessions retrieved by the WHERE clause query on the Reporting Engine is limited to 10 million (10,000,000).

Cause

The concentrator has a setting for /sdk/config/max.where.clause.sessions where the default value is 10 million and hence the result displays up to 10 million sessions.  
 
Jul 19 12:50:49 head01 NwBroker[4773]: [SDK-Query] [audit] User admin (session 2166457, 127.0.0.1:40964) has issued query (channel 6305023) (thread 21595): id1=766729193803 id2=1508946727145 threshold=0 query="select count(ip.proto) where (time='2016-Jul-18 12:50:00'-'2016-Jul-19 12:49:59') && ((ip.proto=17 && service=53)) group by ip.proto"
Jul 19 12:56:36 head01 NwBroker[4773]: [SDK-Query] [audit] User admin (session 2166457, 127.0.0.1:40964) has finished query (channel 6305023, queued 00:00:00, execute 00:05:47, 10.10.10.100:50005=00:05:47 10.10.10.101:50005=00:05:36 10.10.10.102:50005=00:04:35): id1=766729193803 id2=1508946727145 threshold=0 query="select count(ip.proto) where (time='2016-Jul-18 12:50:00'-'2016-Jul-19 12:49:59') && ((ip.proto=17 && service=53)) group by ip.proto"

Jul 19 12:50:49 concent01 NwConcentrator[23480]: [SDK-Query] [audit] User admin (session 715, 10.10.10.99:48082) has issued query (channel 1527486) (thread 23706): id1=2028691728823 id2=2247842067067 size=0 flags=0 threshold=0 query="select count(ip.proto) where (time='2016-Jul-18 12:50:00'-'2016-Jul-19 12:49:59') && ((ip.proto=17 && service=53)) group by ip.proto "
Jul 19 12:56:25 concent01 NwConcentrator[23480]: [Index] [warning] query where clause '(time='2016-Jul-18 12:50:00'-'2016-Jul-19 12:49:59') && ((ip.proto=17 && service=53))' hit the where clause session limit of 10000000
Jul 19 12:56:25 concent01 NwConcentrator[23480]: [SDK-Query] [audit] User admin (session 715, 10.10.10.99:48082) has finished query (channel 1527486, queued 00:00:00, execute 00:05:36): id1=2028691728823 id2=2247842067067 size=0 flags=0 threshold=0 query="select count(ip.proto) where (time='2016-Jul-18 12:50:00'-'2016-Jul-19 12:49:59') && ((ip.proto=17 && service=53)) group by ip.proto "

Resolution

To resolve this issue, increase the value in /sdk/config/max.where.clause.sessions setting. Perform the following steps:
  1. Log in to the NetWitness UI as the admin user.
  2. Navigate to Admin Services.
  3. Select the Concentrator and click Actions > View > Explore.
  4. Expand /sdk in the left tree and click /sdk/config.
  5. Click the value field for max .where.clause.sessions in the right frame.
  6. Increase the value to a value suitable for your deployment and press Enter.
  7. Schedule a report on the Reporting Engine after the change is complete.
  8. If you still see a Note in the schedule result, increase the value appropriately.

Be sure to monitor the system carefully, in case there is a possible performance issue.


Notes

For more information, please review our product documentation and knowledge base articles regarding  /sdk/config/max.where.clause.sessions.

Product Details

Netwitness Product Set: Netwitness Platform
Netwitness Product/Service Type: Core Appliance, Report Engine
Netwitness Version/Condition: 11.x, 12.x or later
Platform: CentOS/Alma Linux

Approval Reviewer Queue

Technical approval queue