Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Combining a search using the 'digsig_result' and 'alliance_score_*' fields results in an error

Combining a search using the 'digsig_result' and 'alliance_score_*' fields results in an error

Version
This solution applies to versions earlier than v5.0 Patch 3.


Issue

Performing a search fails when combining the fields digsig_result and an Alliance score, such as:

digsig_result:signed AND alliance_score_virustotal:[1 TO *]

Symptoms
The error message observed in the UI after performing the search:

An unexpected error occurred - please see your system administrator.

The following may also be seen in /var/log/cb/solr/debug.log:

2015-04-16 08:22:09,266 - [ERROR] - from org.apache.solr.core.SolrCore in http-8080-14

org.apache.solr.common.SolrException: undefined field: "_qalliance_score_virustotal"

Cause
The cause is a syntax problem with the join clause Solr uses.

Solution

As a workaround on v5.0 Patch 1 (5.0.0.150416.1350), include the alliance_score_<feed> query first, such as:

alliance_score_virustotal:[1 TO *] AND digsig_result:signed

The issue is resolved in v5.0 Patch 3. Refer to defect numbers ENT-3832 and ENT-4341.

Labels (1)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎05-06-2015
Views:
446
Contributors