• Watchlists will show "ERROR" in the EDR console because they timeout if they contain fields that exist in both the cbevents and cbmodules SOLR cores.
• SOLR Debug.log has events that show an "undefined field" error:

  <DATE/TIME> - [ERROR] - from org.apache.solr.handler.RequestHandlerBase in <REDACTED> [writer] 
  Client exception
  org.apache.solr.common.SolrException: undefined field file_desc

• Carbon Black EDR Server: Version 7.9.1
• SOLR 9.9 version
• Watchlists: must search both cbmodules and cbevents cores with a JOIN query in SOLR

As part of SOLR 9.9 upgrade in 7.9.1 the code at various places has forced highlighter (hl) method to be "original" however, this change was missed in watchlist runs. When no hl.method is passed, SOLR is now defaulting to unified search which is causing the issue where SOLR is attempting cbmodule fields on cbevents.

• WORKAROUND:Open a Support Case with Broadcom and share a the most recent CBDIAG from the primary node of the EDR server. This will help to validate the issue and a hotfix can be applied to resolve the issue.
• FIX: This is going to be permanently fixed in the 7.9.2 EDR Server release.