Environment
- EDR (formerly CB Response) Server: 6.1 or Higher
- EDR (formerly CB Response) Server 5.x previously installed
Symptoms
- Unexpectedly large disk usage on the /var/cb partition
- Outdated (legacy) cbevents files consuming unexpectedly high disk usage
- Low event retention
Cause
- An unusually large cbevents core was generated after upgrade from 5.x to 6.x
- The core did not get automatically deleted due to process timeout and a retry was never attempted
Resolution
- Identify the oldest, or outdated 5.x cbevents core file(s):
curl "http://127.0.0.1:8080/solr/admin/cores?action=STATUS&wt=json&indexInfo=false&indent=true" | grep name | grep cbevents5_
- Manually unload each of the outdated cbevents core file(s), substituting <core_name> with the core folder name:
curl "http://localhost:8080/solr/admin/cores?action=UNLOAD&core=<core_name>"
- Verify outdated cbevents core file(s) were successfully unloaded:
curl "http://127.0.0.1:8080/solr/admin/cores?action=STATUS&wt=json&indexInfo=false&indent=true" | grep name | grep cbevents5_
- Manually delete the outdated cbevents core file(s) from the Linux file system, subsituting <core_name> with the core folder name:
- This solution will irrecoverably remove data from the Cb Response server.
rm -rf /var/cb/data/solr5/cbevents/<core_name>
Additional Notes
- Outdated cbevents core files will be named: cbevents5_* Example: cbevents5_0, cbevents5_1, cbevents5_2, etc.
- If Solr is not running, cores can be removed by running the rm command above without unmounting via curl
- After removing this data, a 404 page may appear on the Process Analysis page when attempting to view process information for event data collected by these older cores.
- Events from removed cores will no longer appear in Process Search.
Related Content
