Watchlists can provide you with valuable information about conditions that matter in your environment. You might need to fine-tune watchlists for your environment, based on their performance and the quality of the information they provide.

You can monitor the status of a watchlist to see whether and when it has executed, and whether there are any error conditions associated with the watchlist. If you find that the watchlist is not performing as expected, you can edit, disable, or delete it.

Watchlist Status

Watchlists show the following status in the table view:

  • Queued – A watchlist was recently created and is waiting to be executed.
  • Timeout – A watchlist does not execute successfully (or generates an error) after two minutes. A timed-out watchlist will be re-tried, but will only be run on events that appeared between its failed execution and the retry time.
  • Expired – The watchlist has not had any hits in the specified period. See Configure Watchlist Expiration.
  • Error – An error happens during watchlist execution and indicates that the watchlist did not execute successfully. If you are unable to resolve an error condition, consider contacting Carbon Black Support.

In the Watchlist Details panel, descriptive messages display if the last execution of the watchlist resulted in an error or a timeout. For successful executions, the Watchlist Details panel shows the following:

  • Last execution – The time of the last successful execution.
  • Duration – The duration required to complete execution

Slow or Error-producing Watchlists

Temporary conditions might cause a watchlist to timeout or fail with an error message. However, if a watchlist continues to fail, you might need to investigate it and consider modifying the query or deleting the watchlist.

You can identify slow or error-producing watchlists on the watchlist table by using the Duration choice on the Sort by menu.

The duration dropdown menu

This action produces the following results:

  • Watchlists that have not executed successfully, including disabled, queued, errored out or timed out watchlists, appear first. Because you are not usually interested in disabled watchlists, consider clicking the Enabled tab to eliminate disabled watchlists from your results.

  • After the non-executed watchlists, watchlists that have been executed successfully are listed, beginning with the slowest (longest duration) watchlist and then in descending order of duration.

Duration, timeout and error status is also displayed underneath the watchlist name in the Watchlist Details panel.

After you identify a problematic watchlist, you can examine its Query field or Feed Score Criteria to see whether there are any obvious issues, such as leading wildcards in the query. Advanced Search Queries includes guidelines for creating queries, including query usage that could cause difficulties.

If you are unable to modify a watchlist in a way that produces efficient, successful performance, you can contact Carbon Black Support for further troubleshooting.