How to remount a Solr cold core for searching.

• Carbon Black EDR Server: All Versions

1. Log into the backend via ssh/terminal
2. Copy the core file to /var/cb/data/solr/cbevents
3. Get a user API Token
   • How to get the API token from the UI
   • Collecting a user API token from the server
4. Mount the cold core by the core folder name, cbevents_<date>.

   curl -XPOST -H "X-Auth-Token:<API TOKEN>" "https://<ServerName>/api/v1/storage/events/cbevents_<date>/mount" -k

5. Unmount the core when use of core is complete.

   curl -XPOST -H "X-Auth-Token:<API TOKEN>" "https://<ServerName>/api/v1/storage/events/cbevents_<date>/unmount" -k

6. Verify the core is no longer mounted in the console

   https://<ServerName>/api/v1/storage/events/partition

• When a cold core is no longer used, it should be removed from the EDR server. The core can take up space that will cause warm cores to rollover and be deleted sooner. 
• Cores remounted must be manually removed. The server will not automatically purge user mounted cores.
• Remounted cores will have a file cb.user_mounted which tells the server not to delete the core. 
• Partition Temperatures
  • Hot - Partition currently being written to that is searchable
  • Warm - Read-only partitions loaded in Solr memory to be searchable
  • Cold - Read-only partitions that reside on disk and are not searchable until mounted
• In a cluster the ServerName should be the server where the core is physically located