Environment

• EDR Server: 6.X and above

Symptoms

• Reoccurring error in /var/log/cb/enterprise log: 

  • <warning> cb.utils.solr_client - Error looking for writer partition. 
    <warning> cb.enterprise.tasks.solr_time_partitioner - Could not determine the current partition time. Skipping partitioning.

    
     

Cause

Resolution

1. Stop services if they are running
   1. Single node: 

      service cb-enterprise stop

   2. Cluster: 

      /usr/share/cb/cbcluster stop

2. If a empty core with a date newer than the prior writer core is present, skip to step 3. Otherwise, follow step 2:
   1. Create a new core directory:

      mkdir /var/cb/data/solr5/cbevents/cbevents_YYYY_MM_DD_HHmm/

      Example:  

      mkdir /var/cb/data/solr5/cbevents/cbevents_2017_08_14_1544/

   2. Set the correct permissions:

      chown cb:cb /var/cb/data/solr5/cbevents/CORENAME

      Example: 

      chown cb:cb /var/cb/data/solr5/cbevents/cbevents_2017_08_14_1544

3. Set this core to the writer core through the core.properties file
   1. Create the file:

      touch /var/cb/data/solr5/cbevents/CORENAME/core.properties

      Example: 

      touch /var/cb/data/solr5/cbevents/cbevents_2017_08_14_1544/core.properties

   2. Set the correct permissions:

      chown cb:cb /var/cb/data/solr5/cbevents/CORENAME/core.properties

      Example:

      chown cb:cb /var/cb/data/solr5/cbevents/cbevents_2017_08_14_1544/core.properties

   3. Add the following content to the core.properties file:

      #Written by CarbonBlackSupport 
      #CURRENTDATE
      name=writer
      configSet=cbevents_v2

4. Start Services
   1. Single node: 

      service cb-enterprise start

   2. Cluster: 

      /usr/share/cb/cbcluster start

Related Content

• EDR: Error: "Found multiple cores with the name"
• EDR: How to Restart Server Services