.png?width=180&height=32&name=NW%20Logo%20(2).png){kind=small}
Report fails when lookup_and_add rule action used in RSA NetWitness Platform
Issue
When Report ran with lookup_and_add rule action using Reporting: NWDB Rule Syntax document, The report fails with the below error.
Error occurred while fetching data from source 'BROKER[10.10.1.1]'. Error details : rule syntax error: expected a comma-separated list of quoted string ranges or values or a comma-separated list of keys for device: 10.10.1.2:50005.
Cause
This issue is due to one of the data sources of broker does not have real-time data. lookup_and_add rule action iterates through a list of values in a result set and lookup additional metadata. If one datasource offers no values for report duration, that report fails with an error.
Workaround
Please Investigate the data source (From error log, 10.10.1.2 concentrator) concentrator why real-time logs are not available.Possible causes:
- Concentrator aggregation stopped.
- Concentrator aggregation has huge sessions.behind with status consuming.
This can be verified in ADMIN->Services->Concentrator->Config->General Page.
Once real-time data available in all data sources of Broker, the report runs successfully.
Product Details
RSA Product Set: RSA NetWitness PlatformRSA Product/Service Type: Reporting Engine
RSA Version/Condition: 11.3.2.0,11.5.1.X
Platform: CentOS
O/S Version: 7
Summary
This document outlines the procedure to run report successfully.
Approval Reviewer Queue
RSA NetWitness Suite Approval Queue