EDR: Does SOLR compress events that are being ingested?
Article ID: 289098
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
Does SOLR compress events that are being ingested?
Environment
- EDR Server: All Supported versions
- EDR Sensor: All Supported Versions
Resolution
SOLR does not compress data at ingestion or while its being held in a hot SOLR core. When cores roll over from hot (currently writing) to warm (searchable) they are optimized and size shrinks at that time.
Additional Information
- At cold, there is no difference from warm other than they are no longer being loaded to memory.
- To compress the cold ones, looking at the server/cluster management guide for CBR they suggest backing up solr cores with this command:
tar -P --selinux -cvf <corenamehere>.tar /<path and core>
- And when it needs to be loaded back you can untar with:
tar -P -xvf <corenamehere>.tar
- To compress the cold ones, looking at the server/cluster management guide for CBR they suggest backing up solr cores with this command:
Feedback
Yes
No
Powered by
