EDR: All warm core data purged after adding MaxEventStoreSizeInMB restriction to roll cores over

EDR: All warm core data purged after adding MaxEventStoreSizeInMB restriction to roll cores over

search cancel

EDR: All warm core data purged after adding MaxEventStoreSizeInMB restriction to roll cores over

book

Article ID: 290344

calendar_today

Updated On: 08-18-2020

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

All warm cores purged after applying updates to /etc/cb/cb.conf MaxEventStoreSizeInMB setting
Cores disappearing after rolling over

Environment

EDR Server: All Versions (Formerly CB Response)

Cause

MaxEventStoreSizeInMB is not the correct setting to force a core rollover
MaxEventStoreSizeInMB is determines total size of folder and purges down to that size

Resolution

Edit /etc/cb/cb.conf
Comment out MaxEventStoreSizeInMB
Add the correct setting for core rollover with the desired core size
- ```
SolrTimePartitioningMaxSizeMB=<max_core_size>
```
Restart services

Additional Information

MaxEventStoreSizeInMB should only be used to set the maximum disk usage of the entire /var/cb/data/solr*/cbevents directory
SolrTimePartition* settings will apply to individual cores
MaxEventStore* will apply to the entire /var/cb/data/solr*/cbevents folder

Feedback

Was this article helpful?

thumb_up Yes

thumb_down No