Version
CB Response Server 6.1 or greater

Issue

The  6.1.x Cb Response Release Notes document new "Version 2" or "V2" tokenization/query capability

(See "Improved Command-line Searches" on page 10)

Carbon Black Response v6.1 - Release Notes

Symptoms

After following the steps documented (modifying the Master and each Minion's cb.conf and restarting services),

the new searching features do not immediately work.

For example, V2 tokenization now allows one to search for the string ".exe" as file extensions are now searchable fields as so:

cmdline:.exe

but this search will not return any results.

Cause
For V2 tokenization to take effect,

first the cb.conf files need the added line

CurrentEventsSchema=cbevents_v2

and only then will the next new "writer core" be created with that capability, and only new data ingested  in this core

will be accessible with the new V2 searching. Keep in mind that new writer cores are created every

three days, so V2 Tokenization can take up to 3 days before it takes effect.

For example,  if an administrator edits all the cb.confs for each Cb server on Monday,

it may take until up to Thursday until all  new writer cores are created on all servers that will support V2 Tokenization.

The way to verify a core now supports v2 tokenization is to look at the text file

/var/cb/data/solr5/cbevents/cbevents_(date)/core.properties

and check the value for this line:

configSet=cbevents_v2

This means any events injested into this core will be searchable with the new capabilities.