Environment
- CB Response Server: 6.2.x and Higher
- Linux: All Supported Versions
Objective
Explain how to disable fuzzy facets (search fuzzing) when necessary
Resolution
WARNING: Disabling Fuzzy Facets in environments with a lot of events will likely have performance impact during facet loading
- Open /etc/cb/cb.conf
- Locate the Fuzzy Facets flag
CoreServicesEnableFuzzyProcessFacets=True
- Update the value from True to False
CoreServicesEnableFuzzyProcessFacets=False
- Save changes to /etc/cb/cb/conf
- Restart services
service cb-enterprise restart
Additional Notes
- Fuzzy facets improve performance of returning search results, but can require more specific searches to return the desired results reliably
- With fuzzy facets turned on the Filters portion of the Process Search page may not display all expected values or options unless more specific search terms are used
- process_name:svchost.exe may only show a Parent of services.exe in the left-hand filters
- process_name:svchost.exe -parent_name:services.exe may show no additional Parent options but still a large estimated count of results
- process_name:svchost.exe parent_name:* -parent_name:services.exe would yield additional Parent processes and a more accurate estimated count
Related Content
