CB Response: Unified View server shows inconsistent search results for expensive queries
Article ID: 291792
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
- Process Searches on CB Unified View must be run several times in a row in order to get a consistent result
- One or more clusters connected to the Unified View server timeout before returning results to the console, so the results are incomplete and inconsistent when searched again.
- Unified View Console will popup the message "There are clusters experiencing errors or slow response times. You may wish to disable them to prevent them from slowing your experience. [View details|".
Environment
- CB Response Server: All Versions
- CB Unified View: All Versions
Cause
The "inconsistency" in the searches relates back to the 180 second timeout value that the Unified View server is using when it searches across all of the CB Response clusters.
Resolution
Workarounds:
- If a query times out on one or more clusters, run the query again and the CB Response clusters will use the cached results to help complete the results on the next run. This behavior is expected and part of the product design.
- Reduce the time frame used to search for known expensive queries. Smaller time frames will produce smaller subsets of data and will likely complete before the 180sec timeout from the Unified View server.
- Some queries work better than others based on the quality of the syntax in SOLR. Simplify or improve the search criteria to come back with a smaller data set to ensure results before the query times out.
Feedback
Yes
No
Powered by
