Data Explorer troubleshooting

Troubleshooting Data Explorer issues is associated with the databases you use. Understanding current settings and configurations of your IBM Security QRadar® Suite Software beforehand can help the diagnosis and resolution processes.

Cluster and data source unavailable in Data Explorer

Resolve Cluster and data source unavailable alerts in Data Explorer.

Data source unavailable symptoms

After running a query, you receive one of the following messages.

  • The cluster is busy processing other requests and does not respond to your queries.
  • This data source is busy processing other requests. Your queries have been placed in the queue.
  • Data Explorer cannot connect to a data source.

Data source unavailable cause

Either the cluster or the data source is busy processing other requests and can not accept your query request.

Resolving the data source unavailable problem

  • Retry submitting your request when you receive the following message.

    The cluster is busy processing other requests and does not respond to your queries.

  • Wait for few minutes before the data source can respond to your requests when you receive the following message.

    This data source is busy processing other requests. Your queries have been placed in the queue.

  • Verify your data source settings and try again, when you receive the following message.

    Data Explorer cannot connect to a data source.

Inconsistent search results in Data Explorer

You might receive different search results when you use the same queries and settings.

Inconsistent results symptoms

When you use the same data source settings and query statements, you might receive different search results in different versions of Data Explorer.

Inconsistent results cause

Each data source has a search limit and the number of the search results can vary when a query is submitted.

Resolving the inconsistent results problem

Wait for a few minutes or use the same version of Data Explorer for your searches.

Storage almost full alert in Data Explorer

Resolve a Storage almost full alert in Data Explorer.

Storage full symptoms

When you run a query in Data Explorer, you receive a Storage almost full alert.

Storage full cause

When the available storage percentage of the allocated space for Data Explorer is less than 5%, a Storage almost full alert is displayed.

Tip: The default storage limit for Data Explorer is 20 GB. However, the actual space might vary based on your IBM Cloud® purchase plan.

Resolving the storage full problem

The steps required to resolve this problem are different depending on the database you use.

CouchDB
  1. To obtain the current usage of your Persistent Volume Claim (PVC), run the following command:
    curl -X POST "https://{{$domain}}/investigate/api/v1/compact" -H "Authorization: Bearer $JWT"
  2. Run the investigate/api/v1/compact API to remove the unused data in the Data Explorer database. By doing so, you do not clear the searches that were created by users.
  3. When you need more storage space, use another PVC that has the amount you need.
IBM® Cloudant®
To obtain the current storage usage, run the following command :
curl "https://$ACCOUNT.cloudant.com/_api/v2/monitoring/disk_use?cluster=myclustername&format=json"
For more information, see Monitoring an IBM Cloudant cluster.
Tip: Cloudant uses automatic compactions to ensure that only the minimal amount of data is kept. You can purchase more storage space. For more information, see Pricing.