When creating and running a live query, there are several concepts you should consider to improve the results.
For details regarding Live Query support, you should review the Carbon Black Cloud™ Audit and Remediation Operating Environment Requirements.
The list of query considerations that follow have been established to:
- Protect the system from being overloaded (the max memory usage and the timeout).
- Protect the network from being overloaded (1mb cap).
Live Query Considerations:
- Queries are limited to a maximum memory usage of 500MB. The query is terminated if the query's memory usage exceeds 500MB.
- The resulting query payload is limited to the maximum size of 1MB. Query results exceeding 1MB are truncated without warning.
- The user interface limits the results to 10,000. To see the full results, use the Export button or use the Live Query API. https://developer.carbonblack.com/reference/carbon-black-cloud/cb-liveops/latest/livequery-api/
- Queries that take over 900 seconds are terminated.
In light of these limitations, users should keep in mind that queries are not meant for broad items. For example:
SELECT * FROM windows_eventlog WHERE channel = 'Security'
Queries that are more granular and focused will be less likely to run into one of the query limitations.
