Environment

• EDR Server: All Supported Versions

Objective

Resolution

1. Try restarting the EDR cb-enterprise services to rectify the Watchlist error.
2. If still receiving the same error, try disabling and re-enabling the Watchlist.
3. Make note of any other console issues that may be symptoms of a larger issue.
4. Check the /var/log/cb/job-runner/jog-runner.log for the Watchlist name, to see if other errors are present at that time.
5. Check the /var/log/cb/solr*/debug.log and startup.log to look out for errors at the time of reproducing this issue.
6. If none of the above helped, upload cbdiags to alliance.

Additional Notes

• If the issue is happening on a specific Watchlist, disable the current Watchlist and create a new Watchlist with the same query as well as notification settings.
• If Solr cores are not optimizing, the server may not be meeting the Operating Environment Requirements standards for the amount of data coming through, slowing down any requests to the database.
• Resources are needed to meet Operating Environment Requirements standards, to prevent future occurrences of this issue.
• If too much data is coming in, reducing maximum event core size can also help.
   

Related Content

https://community.carbonblack.com/t5/Knowledge-Base/EDR-How-to-Restart-Server-Services/ta-p/41294
https://community.carbonblack.com/t5/Knowledge-Base/EDR-How-To-Generate-Server-Diagnostic-Logs-for-O...
https://community.carbonblack.com/t5/Knowledge-Base/EDR-Watchlists-appear-in-Error-state/ta-p/78037
https://community.carbonblack.com/t5/Knowledge-Base/EDR-Watchlist-timing-out-in-UI/ta-p/69846
https://community.carbonblack.com/t5/Knowledge-Base/EDR-How-to-manually-optimize-a-core/ta-p/81672
https://community.carbonblack.com/t5/Knowledge-Base/EDR-How-to-manually-run-the-watchlist-search-job...
https://community.carbonblack.com/t5/Knowledge-Base/EDR-How-to-adjust-maximum-Solr-core-sizes/ta-p/7...