Environment

• EDR Server: 6.x and Higher
• EDR Console

Objective

• How to export more than 1000 results to .csv from the EDR console

Resolution

1. Edit the cb.conf on all cluster nodes

vi /etc/cb/cb.conf

2. Add the value 'SearchExportCount=40000' to the bottom of the cb.conf file and Save
3. Restart services- https://community.carbonblack.com/t5/Knowledge-Base/Cb-Response-How-to-restart-services/ta-p/41294

Additional Notes

• 40000 appears to be the limit that the product can currently support for export without causing a performance impact. Going higher than 40000 could negatively affect the EDR cluster
• The configuration change applies to Binary Search, Process Search, and Triage Alerts results.
• The number of rows exported for a large search depends on (1) the server's specifications of CPU and RAM to process the new large export, and (2) your local system's resources available to your browser.
• For Hosted EDR please open a case to request a config change up to 'SearchExportCount=40000'

Related Content

• EDR: How to Restart Server Services