Why do the netconn counts differ between the Process Search page and the Process Analysis page?
 

• EDR Servers: 7.1 and higher

• The Process Search count is the running total for the process, the Process Analysis is the number within the given Solr segment.  There are two reasons the counts differ:

            A) The older netconns aged out of the Solr core segments (count is lower in the Analysis page) or
            B) The sensor was restarted while storing to the current segment reseting the total (count is lower in the Search page).

• To confirm the EDR console is reporting the correct numbers,

               a) Pull the raw document for that event.  Run a curl command, on the standalone server or the minion used by the sensor, using the GUID (first string in the Process Analysis URL).

curl 'http://localhost:8080/solr/reader/select?q=id:<uniqueid>*&wt=json&indent=true&rows=400&debug=track&sort=last_server_update%20asc' >> rawprocdoc.json

               b) Extract the number of complete netconns which occurred in that segment until the current time.  This number should match the Process Analysis total of netconns (Confirm the timeline is completely expanded).

egrep 'timestamp.*protocol.*direction.*local_ip.*local_port.*remote_ip' <rawprocdoc.json> | grep -v Response | wc -l]

               c) Determine if the sensor was restarted at anytime during this solr segment.

grep '"netconn_count":0,' <rawprocdoc.json> | grep -v Response

• The netconn number displayed on the Process Search page reflects the running total of netconns for the given process.  When the Process Search page displays a number lower than the netconns listed in the Process Analysis page, this indicates the sensor restarted while the event process was running.  Confirmation can be noted in the raw document by searching for netconn_count being reset to 0.
• When the Process Search page displays a number greater than the netconns listed in the Process Analysis page, this indicates the event ran over several segments (expand the timeline) or some netconns occurred several days earlier and may have aged out of the Solr data store.  Confirmation can be found in the raw document with the first netconn_count is greater than 0.  
• The Process Search result lists all of the segments of any processes that match the search criteria. Checking 'group by process' option will collapse these into one row per unique process. Selecting one of these segments will then show all the events based on the timeline selected above.
• The netconn numbers represent "The number of network connections that the execution of this process either attempted or established.
• The number of netconns displayed Process Analysis page should match the number of netconns exported.