logo

Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

Single Process Document Older Than Retention Settings

Single Process Document Older Than Retention Settings

Version

Cb Response 5.x

Issue

Single process ran before MaxEventStoreDays retention settings in /etc/cb/cb.conf

Symptoms

  1. Process Analysis page is showing last update from x months ago beyond settings in MaxEventStoreDays.
  2. The last_server_update date in Solr Process Document is fewer days than MaxEventStoreDays retention setting. 
    Note: To collect the last_server_update field from a process document follow the Process Document section of this guide:
    Query Documents Via Curl (SSH/Terminal)

Cause

A feed or watchlist hit on the processes sets the last_server_update to the current time. We want to verify that you have enough time to analyze the feed hit before the process document gets purged. This is to help reduce instances of a 404 error described here:
Selecting an event from the Alerts page results in a 404 page

Note: In rare occurrences this process can happen multiple times, extending the the retention of this document well beyond standard retention periods

Solution

The product is working as designed. When the document doesn't receive any hits till MaxEventStoreDays is reached, it will be purged.

Labels (1)
Labels:
Was this article helpful? Yes No
No ratings
Article Information
Author:
cmichaels
Creation Date:
‎01-09-2017
Views:
694
Contributors
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.