logo

Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

Carbon Black Cloud: Alerts page searching on device_name field containing hyphens-dashes returns additional alerts for other device names containing hyphens-dashes.

Carbon Black Cloud: Alerts page searching on device_name field containing hyphens-dashes returns additional alerts for other device names containing hyphens-dashes.

Environment

  • Carbon Black Cloud Console: All versions
  • Carbon Black Cloud Sensors: All versions

Symptoms

Searching the Alerts page for device_name: AAA-XYZ returns alerts for any device_name ending in "-XYY" (i.e. BBB-XYZ, CCC-XYZ, etc)

Cause

This is functioning as designed. The alerts page uses Elasticsearch as underlying search engine. This engine requires special characters be escaped, including device_name field

Resolution

  1. To achieve the desired result, place the name of the device in double-quotes as so:
alerts query ->  device_name:"AAA-XYZ"

will only return alerts for AAA-XYZ

 

Additional Notes

The Investigate page's device_name does NOT need escaping, so it is different behavior (due to a different search engine) than the Alerts page.

Related Content


Was this article helpful? Yes No
No ratings
Article Information
Author:
CB_Support
Creation Date:
‎10-03-2022
Views:
515
Contributors
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.