netwitness-meta
Fetch meta records from Netwitness Decoder
netwitness-meta profile=PROFILE [duration=NUM{mon|w|d|h|m|s}] [from=yyyyMMddHHmmss] [to=yyyyMMddHHmmss] [ip=IP] [ip2=IP2] [query=QUERY]
- profile=PROFILE
- The identifier of NetWitness connect profile
- duration=NUM{mon|w|d|h|m|s}
- Scan only recent data. You should use s(second), m(minute), h(hour), d(day), mon(month) time unit. For example,
10smeans data from 10 seconds earlier. - from=yyyyMMddHHmmss
- Start time of range. yyyyMMddHHmmss format. If you omit time part, it will be padded by zero.
- to=yyyyMMddHHmmss
- End time of range. yyyyMMddHHmmss format. If you omit time part, it will be padded by zero.
- ip=IP
- First IP address for search
- ip2=IP2
- Second IP address for search
- query=QUERY
- Meta query string
Output Fields
| Field | Type | Name | Description |
|---|---|---|---|
| profile | String | Connect profile | The identifier of NetWitness connect profile |
| id1 | Long | ID1 | Start ID of the range |
| id2 | Long | ID2 | Last ID of the range |
| group | Long | Group | Session ID |
| type | String | Type | Meta name. e.g. sessionid, ip.src, ip.dst, ip.proto |
| value | Mixed | Value | |
| count | Integer | Count | |
| format | Integer | Format | e.g. 4 for int32, 128 for IPv4 address, 130 for MAC address |