Topic
  • 4 replies
  • Latest Post - ‏2015-01-08T07:40:14Z by sandeepchi
MFG
MFG
7 Posts

Pinned topic Accumulated data warning

‏2014-02-11T16:19:29Z |

I created a daily report based on events received. I am getting an exclamation mark next to the report indicating : Accumulated data for the following chart(s) is incomplete: Name of the filter. As the warning says, the report is not showing all the information. The warning has a note saying that I have to run the report on raw data to get the full information, but this report has to be generated automatically on a daily basis and I don't see an option to run the report on raw data automatically. This is on QRadar 7.1 MR1.

Any help is appreciated.

Thanks.

  • Alaa Ali
    Alaa Ali
    3 Posts

    Re: Accumulated data warning

    ‏2014-02-11T23:08:25Z  

    If I'm not mistaken, you should only get that exclamation mark the first time (or first two times) the report runs. What is happening with you is that you are probably running the daily report as soon as you created it.

    Daily reports "accumulate" (think of it as "indexing" or "storing") the data from the previous day, but since you just created it (or a day has not passed), it didn't get the chance to accumulate the data that you need. So, once 24 hours have passed from the time you created the report, it should run the next time normally without needing that option. So the next time (or the next 2 times, depending on the time you created the report and that data it's accumulating) that the report runs automatically, it should run without needing to choose the Raw Data option.

  • JonathanPechtaIBM
    JonathanPechtaIBM
    14 Posts

    Re: Accumulated data warning

    ‏2014-02-11T23:10:24Z  

    MFG,

     

    There is no way to automatically run a report on raw data. You have to highlight the report, then select Actions > Run Report on Raw Data.

     

    There is an APAR (IV54289) where the system tags reports with table views with the notification "Accumulated data not available". If the report you are running generates data with Graph type -> Table, then you could be hitting this issue. However, it was only reported in 7.1MR2 initially. If the issue appears to be reoccurring, then I would look at the APAR to see if your system generates a matching error message as described.

     

    If you have concern about this, you can call in to support to discuss this issue further and someone can help verify the issue. 

     

    Hope this helps..

     

     

  • JonathanPechtaIBM
    JonathanPechtaIBM
    14 Posts

    Re: Accumulated data warning

    ‏2014-02-12T00:37:55Z  
    • Alaa Ali
    • ‏2014-02-11T23:08:25Z

    If I'm not mistaken, you should only get that exclamation mark the first time (or first two times) the report runs. What is happening with you is that you are probably running the daily report as soon as you created it.

    Daily reports "accumulate" (think of it as "indexing" or "storing") the data from the previous day, but since you just created it (or a day has not passed), it didn't get the chance to accumulate the data that you need. So, once 24 hours have passed from the time you created the report, it should run the next time normally without needing that option. So the next time (or the next 2 times, depending on the time you created the report and that data it's accumulating) that the report runs automatically, it should run without needing to choose the Raw Data option.

    Ah, yes. I was assuming this was an existing report and not necessarily a new report.

     

    Accumulations build off of each other, so if this is a new report then the information that is required to create the table might not exist yet, which is why you get the notification in the report view. As Alaa Ali mentioned, accumulations are aggregated data points that can be thought of as indexes. Accumulations are used to enhance performance in reports, graphs, searches, etc. There are three types of accumulations the system creates.

     

    1. Minute-by-minute: Each minute the system takes the data and creates an accumulation for the system.
    2. Hour-by-hour: Each hour, the system takes the minute-by-minute accumulation and creates an hourly accumulation.
    3. Day-by-day. Each day, the system takes the hour-by-hour accumulation is reviewed to create a daily accumulation.

     

    The purpose of this is that it allows us to look up data for your report, graph, or search and have a pre-indexed data set to review, instead of having to search through the raw event data based on the time frame you selected. If you are attempting to create a daily report, but the daily accumulation does not exist yet, then the system notifies you that an accumulation does not exist and recommends that you run the report against the raw system data. Raw data searches take more time, but as Alaa Ali mentioned, if this is a brand new report then the accumulation just needs time to complete, which is why the exclamation is displayed.

     

    Hope this helps..If this is a new report, then you can ignore my post below.

  • sandeepchi
    sandeepchi
    1 Post

    Re: Accumulated data warning

    ‏2015-01-08T07:40:14Z  

    MFG,

     

    There is no way to automatically run a report on raw data. You have to highlight the report, then select Actions > Run Report on Raw Data.

     

    There is an APAR (IV54289) where the system tags reports with table views with the notification "Accumulated data not available". If the report you are running generates data with Graph type -> Table, then you could be hitting this issue. However, it was only reported in 7.1MR2 initially. If the issue appears to be reoccurring, then I would look at the APAR to see if your system generates a matching error message as described.

     

    If you have concern about this, you can call in to support to discuss this issue further and someone can help verify the issue. 

     

    Hope this helps..

     

     

    Hello Jonathan,

     

    I am also facing same issue. The QRadar version is 7.2.4. The search and report based on this search is created yesterday. The report ran successfully on raw data, still I am not able to select graph type other than table. Also I am not able to see any option to enable data accumulation in saved search.

    Regards,

    Sandeep Chinchorkar