EDR: No Results With Last 3 Days Process Search (missing cb.core.conf)
search cancel

EDR: No Results With Last 3 Days Process Search (missing cb.core.conf)

book

Article ID: 291942

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

  • Using 'Last 3 days' time-frame on Process Search page returns data from more than three days old
  • Using 'All Time' option shows results within the last three days to the present
  • No backlog of Sensor data looking at cbdiags for server stats
  • No cb.core.conf file present in current writer core/partition (/var/cb/data/solr5/cbevents/cbevents_YYYY_MM_DD_XXXX) 
    cd /var/cb/data/solr5/cbevents/
ls cbevents_{MostRecentCore}
	(should return core.properties, data)

Environment

  • EDR (formerly Cb Response) Console: 6.2.4
  • Linux: All Supported Versions

Cause

cb.core.conf needs to be present on the writer core for 'Last 3 days' time-frame to work

Resolution

  1. Connect to Solr server
  2. Stop service 
    service cb-enterprised stop
  3. Create a cb.core.conf file manually in most recent core/partition (/var/cb/data/solr5/cbevents/cbevents_YYYY_MM_DD_XXXX)
  • [Core] 
creation_date = <date on core directory YYYY-MM-DDTHH:MM:SS.000000Z>
schema_name = <cbevents_v2 / cbevents_v1>
optimization_disabled = False
  • Example for a core named cbevents_2019_03_18_1549 using cbevents_v1
[Core] 
creation_date = 2019-03-18T15:49:00.000000Z
schema_name = cbevents_v1
optimization_disabled = False
 
  1. Save the new cb.core.conf file
  2. Set permissions on new cb.core.conf file 
    chown cb:cb cb.core.conf
  3. Set SolrTimePartitioningMinutes to 5 in /etc/cb/cb.conf, noting current value (if not present, add at the very end of the file) 
    SolrTimePartitioningMinutes=5
  4. Start service 
    service cb-enterprised start
  5. Within six minutes a new core should have been created with valid information ( 
    cd /var/cb/data/solr5/cbevents/ <enter>
ls cbevents_{MostRecentCore} <enter>
 (should return cb.core.conf, core.properties, data)
  6. Remove SolrTimePartitioningMinutes from /etc/cb/cb.conf (or set back to original value)
  7. Restart service 
    service cb-enterprised restart

Additional Information

  • The schema_name version can be found in the core.properties file of the core in the field configSet
  • If a new core is not generated after 6 minutes, check /var/log/cb/enterprise/enterprise.log. If there is an error related to the timestamp, something is misconfigured for the creationdate value. The format must be YYYY-MM-DDTHH:MM:SS.000000Z
Powered by Wolken Software