• UI search only shows events from the last few days
• Querying loaded solr cores only shows a few cbevents* mounted
• /var/cb/data/solr*/cbevents shows many more cbevents* directories
• Server has run out of disk space or is above 90% disk usage

• EDR Server: All Versions
• /etc/cb/cb.conf value: AlwaysDeleteColdPartitions=False

• Once the server disk usage passes a certain threshold, Solr will roll over the oldest loaded core. 
• With AlwaysDeleteColdPartitions=False, older cores are unmounted, but will not be removed automatically. So the server never goes below the disk threshold

Disk usage needs to be reduced below the MaxEventStoreSizeInPercent (default 90%)

• Remove old cores to a separate storage location
• Increase drive space on server

• It is not recommended that cold cores be stored on the /var/cb partition
• New cores can be remounted manually, but the cb.user_mounted file will need to be removed: How to remount Solr Cold Core Partitions
• To view mounted cores, run:
  curl "http://127.0.0.1:8080/solr/admin/cores?action=STATUS&wt=json&indexInfo=false&indent=true" | grep name

Related Topics:
EDR: Only one active Solr core/shard mounted
EDR: How to enable event cold storage
How is Data Retention Determined?
EDR: Selecting an Event From the Alerts Page Results in a 404 Page