CB Response: Binary Search spins and fails to load results
search cancel

CB Response: Binary Search spins and fails to load results

book

Article ID: 285761

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

  • When searching for a binary, a spinning progress will appear, but when it's done, nothing has changed on the search page
  • Requests in /var/log/cb/nginx/access.log show 500 responses
  • Solr's debug.log has an error containing the following statement 
    null:org.apache.solr.common.SolrException: Exception during facet.field: hostname

Environment

  • CB Response Server: 6.1.2 and Higher

Cause

This issue occurs when the facet query times out and produces an error.

Resolution

There are two possible workarounds. Choose a workaround depending on how frequently this error occurs

  1. If this occurs for one particular binary search, you can modify the search URL. Once the search times out, add &facet.method=enum to the end of the URL

    https://192.168.81.128/#/binaries/cb.urlver=1&q=notepad.exe&sort=server_added_timestamp%20desc&rows=...

  2. If this issue occurs for most or all binary searches, you can disable the facet which causes this error. For example, in the Solr error above, the facet "hostname" was causing the timeout.

    1. Edit /etc/cb/cb.conf. Set the CoreServicesDisabledBinaryFacets value to whatever facet is failing
CoreServicesDisabledBinaryFacets=hostname
  1. Restart coreservices on the Master server.
service cb-coreservices restart
Powered by Wolken Software