Viewing logs for failed investigations

If an investigation fails, you can view QRadar® Advisor with Watson™ logs from your QRadar system.

Viewing error and warning logs

If you investigate an offense and it fails, you can view the logs to help identify the cause of the failure.

  1. Click View Logs.
    • From the Incident overview page, click the failed offense. On the Incident pane, in the Insights section, click View Logs.
    • From the Offenses tab, double-click the offense that failed. In the QRadar Advisor with Watson section, click View Logs.
  2. On the List of Events page, click Select an Option in the View field to filter on the time of the events. For example, select Last 3 hours to view logs for events that started during the last 3 hours.
  3. Double-click an Advisor Analysis Error or Advisor Analysis Warning event to view detailed logs including payload information.

Viewing debug and information logs

  1. From the Log Activity tab, click Search > Edit Search.
  2. From the Available Saved Searches section, click Advisor with Watson Audits and then click Load.
  3. In the Current Filters section, click Log Source is QRadarAdvisorwithWatson and then click Filter.