logo

Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

Combining a search using the 'digsig_result' and 'alliance_score_*' fields results in an error

Combining a search using the 'digsig_result' and 'alliance_score_*' fields results in an error

Version
This solution applies to versions earlier than v5.0 Patch 3.


Issue

Performing a search fails when combining the fields digsig_result and an Alliance score, such as:

digsig_result:signed AND alliance_score_virustotal:[1 TO *]

Symptoms
The error message observed in the UI after performing the search:

An unexpected error occurred - please see your system administrator.

The following may also be seen in /var/log/cb/solr/debug.log:

2015-04-16 08:22:09,266 - [ERROR] - from org.apache.solr.core.SolrCore in http-8080-14

org.apache.solr.common.SolrException: undefined field: "_qalliance_score_virustotal"

Cause
The cause is a syntax problem with the join clause Solr uses.

Solution

As a workaround on v5.0 Patch 1 (5.0.0.150416.1350), include the alliance_score_<feed> query first, such as:

alliance_score_virustotal:[1 TO *] AND digsig_result:signed

The issue is resolved in v5.0 Patch 3. Refer to defect numbers ENT-3832 and ENT-4341.

Labels (1)
Labels:
Was this article helpful? Yes No
No ratings
Article Information
Author:
akramer
Creation Date:
‎05-06-2015
Views:
481
Contributors
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.