Query for raw process document information from a standalone EDR Server

• EDR: 6.x and higher
• Standalone EDR Server

See Additional Information section for clustered server environments

1. Log into the console.
2. Perform your search and click the process to bring you to the Process Analysis page.
3. In the Process Analysis page grab the Unique ID (highlighted in red) from the browser URL

   https://<server>/#/analyze/00000007-0000-24c8-01d4-6cab54141c72/1540927207635?cb.legacy_5x_mode=false

4. Log into the server via ssh/terminal and run the following command, replacing the <uniqueid>:

   curl 'http://localhost:8080/solr/reader/select?q=id:<uniqueid>*&rows=0'
   

5. View the "numFound" and enter a value greater than in the &rows= section of the next command. 

   response":{"numFound":29,"start":0,"maxScore":1.0,"docs":

6. Run the following command, in the example numFound came back as 29, so 40 is used to give a buffer as the rows= 

   curl 'http://localhost:8080/solr/reader/select?q=id:<uniqueid>*&wt=json&indent=true&rows=40&debug=track&sort=last_server_update%20asc' >> <uniqueid>.json && /usr/share/cb/cbpost <uniqueid>.json

• Common Errors:
  • "The requested resource is not available": Curl command was run on the incorrect server/node. See How to get raw process documents via Curl (Clustered)
  • "numFound=0": Incorrect or missing unique id,  incorrect server/node or md5 hash is lowercase.