EDR: How To Purge CbEvent (Process) Data in 6.x and Higher
search cancel

EDR: How To Purge CbEvent (Process) Data in 6.x and Higher

book

Article ID: 290576

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

How to purge event process data from the Solr database in EDR 6.x and higher.

Environment

  • EDR Server: 6.x and Higher

Resolution

$#% Warning: This will irrecoverably remove data from the server. After removing this data, users will receive a 404 page when attempting to view Alerts and process data will no longer appear in Process Search $#% 
  1. Determine which core should be removed, typically the oldest core
curl "http://127.0.0.1:8080/solr/admin/cores?action=STATUS&wt=json&indexInfo=false&indent=true" | grep name
  1. Manually unload the core from the command line where <core_name> is the core to be unloaded
curl "http://localhost:8080/solr/admin/cores?action=UNLOAD&core=<core_name>"
 
  1. Verify the core is unloaded, substituting <core_name> with the name used above
curl "http://localhost:8080/solr/admin/cores?action=STATUS&indexInfo=true&indent=true&wt=json"  | grep <core_name>
  1. Once the core is unloaded, remove the <core_name> files
rm -rf /var/cb/data/solr5/cbevents/<core_name>

Additional Information

  • If Solr is not running, cores can be removed without manually unloading the file first
  • Unloading a core but skipping step 4 and leaving it in the directory will mean that Solr will not purge this data. Leaving an unloaded core on disk can greatly reduce retention
  • The cbevents data is held in /var/cb/data/solr5/cbevents/ as 3 day rollover cores by default. If the default storage path has been changed, the path in step 4 will need to be altered to match.
Powered by Wolken Software