EDR: How to Find the Average Number of Events from Solr
search cancel

EDR: How to Find the Average Number of Events from Solr

book

Article ID: 287586

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

To find the average number of events ingested from the Solr console

Environment

  • EDR Server: All Versions

Resolution

  1. Open the Solr console.
  2. Navigate to Core Admin and find the name of a recent core that was rolled over.
  3. Select the core at the bottom left and check number of docs and total index size on the Core Overview page. This will provide the average doc size.
  4. Run the query:  
    http://localhost:8080/solr/<SolrCoreName>/select?q=terminated%3Atrue&wt=json&indent=true&rows=0&json.facet={modload_count:%22avg(modload_count)%22,regmod_count:%22avg(regmod_count)%22,filemod_count:%22avg(filemod_count)%22,netconn_count:%22avg(netconn_count)%22,childproc_count:%22avg(childproc_count)%22,crossproc_count:%22avg(crossproc_count)%22}
  5. Review the data values to determine the averages.

Additional Information

  • Replace <SolrCoreName> with the specific core name that data is being collected from
  • Take note of a core's rollover period. It is usually 3 days in length, but it could be different depending on the configuration. 
Powered by Wolken Software