6.7 Highlight Generation

The Alert Viewer subsystem displays alert and match highlights in the Alert List and Alert Context sections of the OFSBD UI.

The system calculates and stores these highlights in the database as part of the batch cycle using the following shell script: run_highlights.ksh

This script is part of the Database Tools that resides in the <OFSAAI Installed Directory>/database/db_tools/bin directory. This script attaches to the database using the user that the utils.database.username property identifies in the <OFSAAI Installed Directory>/database/db_tools/mantas_cfg/install.cfg file. You run highlight generation after the creation of alerts and before the system ends the batch with the end_mantas_batch.sh script. By default, Behavior Detection writes log messages for this script in the <OFSAAI Installed Directory>/database/db_tools/logs/highlights.log file.

Highlight Generation Limits

The limit of highlight generation in post processing is 50,000. This limit can be increased based on your alerting data. If a scenario generates more than 50K alerts, then only the highlights of the first 50K alerts are generated. All the other highlights will be null.

Increasing Highlight Generation Limits

If your alert count exceeds 50k, follow these steps to increase the limit:
  1. End the current batch, if running.
  2. Change the maxCount value in the file found at <FIC_HOME>/database/db_tools/mantas_cfg/ etc/xml/DB_AlertContext.xml

    For example, for an alert count of 100: change DataBag name="FindAlerts" table="KDD_REVIEW" maxCount="50000"> to <DataBag name="FindAlerts" table="KDD_REVIEW" maxCount="100000">

  3. Set the batch date.
  4. Start the batch.

Displaying Missing Highlights

If you are experiencing an existing highlight issue for backdated data, follow these steps to display the missing highlights:
  1. End the current batch, if running.
  2. Change the maxCount value in the file found at <FIC_HOME>/database/db_tools/mantas_cfg/etc/xml/DB_AlertContext.xml

    For example, for an alert count of 100: change DataBag name="FindAlerts" table="KDD_REVIEW" maxCount="50000"> to <DataBag name="FindAlerts" table="KDD_REVIEW" maxCount="100000">

  3. Set the batch date to the date for which the highlight issue exists.
  4. Start the batch.
  5. Get the previous PRCSNG_BATCH_ID from the KDD_PRCSNG_BATCH_HIST for the data dump date of the batch for which the highlights were NULL.
  6. Copy the current PRCSNG_BATCH_ID in notepad.
  7. Take the PRCSNG_BATCH_ID from Step 5 and manually update it in the KDD_PRCSNG_BATCH_CONTROL table.
  8. Rerun the run_highlights.ksh and run_hdc.ksh.
  9. Take the PRCSNG_BATCH_ID from Step 6 and manually update it in the KDD_PRCSNG_BATCH_CONTROL table.
  10. Verify that the highlights display in the UI.