logo

Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

EDR: Inconsistent Results When Using Netconn_Count Search Field on Process Search Page

EDR: Inconsistent Results When Using Netconn_Count Search Field on Process Search Page

Environment

  • EDR Server: All Versions
  • Hosted EDR Server: All Versions

Symptoms

Processes which are terminated:true are not consistently returned when netconn_count is used in process search.

Cause

This is due to a product issue.

Resolution

The product issue is being investigated in CB-32829. Once a target release date or version is provided, this article will be updated.

Additional Notes

Example:

1. The following search returns 29 hits, all of which have a terminated:true in process document:
netconn_count:[1 TO *] ipaddr:127.0.0.1 process_name:local

2. However this search returns 12 results:
netconn_count:[1 to 100] ipaddr:127.0.0.1 process_name:local

Labels (1)
Labels:
Tags (2)
Was this article helpful? Yes No
No ratings
Article Information
Author:
CB_Support
Creation Date:
‎09-18-2020
Views:
490
Contributors
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.