EDR: Many CbEvent Cores with the Same Date
Article ID: 287944
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
When looking in /var/cb/data/solr/cbevents* there are many cores with the same date in the folder name.
Environment
- EDR Server: All Versions
Cause
Cores failed to roll over, the could be due to disk space limit at the time or Solr being too busy to respond
Resolution
- Confirm the cores that are missing the core configuration files
find /var/cb/data/solr/cbevents*/ -mindepth 1 -maxdepth 1 -type d \! -exec test -e '{}/cb.core.conf' \; -print | grep -v reader find /var/cb/data/solr/cbevents*/ -mindepth 1 -maxdepth 1 -type d \! -exec test -e '{}/core.properties \; -print | grep -v reader - Delete the cbevents_<date> cores that do not have these any longer.
- If there are any cbevents_<date> cores that are abnormally older than your other cores, go ahead and remove those as well
Additional Information
- For instances that have added partitions to expand on the cbevent core available space, the algorithm during rollover will try to use the next partition with space. This can mean that you will have cores with the same date stamp on the different partitions and will need to be cleaned up on each partition.
Feedback
Yes
No
Powered by
