CB Response: Query timeouts when searches run on process and binary data
Article ID: 290030
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
- Overall slowness in the UI
- Warnings for the search appear in /var/log/cb/job-runner/job-runner.log
-
<warning> [watchlist_search] Solr request returned incomplete results after 120623 ms.
-
- modulestore is very large
- Solr logs show queries timing out with the message
-
The request took too long to iterate over terms. Timeout
-
Environment
- CB Response Server: 5.x and Above
Cause
- There is too much data for Solr to process when joining a search on binary and process data
Resolution
- The amount of data queried must be reduced. Consider doing one or more of the following:
- Clear old binary data using modulestore_purge - https://community.carbonblack.com/t5/Knowledge-Base/How-To-Enable-Automated-Cbmodule-Purging/ta-p/33620
- Modify the query to be as specific as possible
- Remove any reference to binary fields in the query
Feedback
Yes
No
Powered by
