EDR: Low data retention on the Server/Cluster with adequate space

EDR: Low data retention on the Server/Cluster with adequate space

search cancel

EDR: Low data retention on the Server/Cluster with adequate space

book

Article ID: 287767

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

Searching for events older than 3 days results in "404" page.
Maximum amount of Solr shards are seen in the Solr cbevents directory under the same date:
```
cbevents_2019_08_12_2234
cbevents_2019_08_12_2244
cbevents_2019_08_12_2254
```

Environment

EDR Server: 6.X

Cause

The cb.conf file has a misconfigured maximum size for the Solr core sizes.

Example for setting core size to 5 GB, when it should be 500 GB:

Incorrect:
SolrTimePartitioningMaxSizeMB=5000

Correct:
SolrTimePartitioningMaxSizeMB=500000

Resolution

Confirm the settings in the /etc/cb/cb.conf file are correct.
Restart the Server/Cluster services to apply the changes.

Additional Information

By default, CB Response will rollover the oldest cores once the maximum shard count has been reached. This is set under:

SolrTimePartitioningActivePartitions=30

Feedback

thumb_up Yes

thumb_down No