Cb Response: How to determine top noisy and chatty hosts and processes (5.x)

search cancel

Cb Response: How to determine top noisy and chatty hosts and processes (5.x)

book

Article ID: 288136

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

To output the top list of "noisiest" hosts, processes, and parent processes that the Cb Response (version 5.x) cluster has event records for.

Environment

Cb Response: version 5.x

Resolution

Determine which shards are present on the local node:

# cat /etc/cb/cluster.conf

Run commands, replacing "0" with any local shards:

Get list of "noisiest" hosts:
curl "http://127.0.0.1:8080/solr/0/terms?terms.fl=hostname&terms=true&terms.limit=50&indent=true" > "/tmp/$(hostname)_noisy_hosts.txt"

Get list of most common processes:
curl "http://127.0.0.1:8080/solr/0/terms?terms.fl=path_full&terms=true&terms.limit=50&indent=true" > "/tmp/$(hostname)_top_procs_pathfull.txt"

Get list of most common processes:
curl "http://127.0.0.1:8080/solr/0/terms?terms.fl=parent_name&terms=true&terms.limit=50&indent=true" > "/tmp/$(hostname)_top_parentprocs.txt"

Repeat for all nodes.

Additional Information

Resulting files will be available in /tmp

Feedback

thumb_up Yes

thumb_down No