Storage expansion

By creating multiple external volumes and mounting /store/ariel/events and /store/ariel/flows, you can expand your storage capabilities past the single file system that is configured by default with IBM QRadar. A single file system supports up to 500 TB.

Store partition

Any subdirectory in the /store file system can be used as a mount point for your external storage device. However, only the /store and /store/ariel file systems are supported for offboard with a high-availability deployment.

If you want to move dedicated event or flow data, you might configure more specific mount points. For example, you can configure /store/ariel/events/records and /store/ariel/events/payloads as mount points.

More storage expansion options

You can add more data storage to QRadar host or optimize your current storage by using one or more of these options (https://www.ibm.com/support/pages/qradar-reaching-data-storage-limits):

Install a Data Node. Data Nodes enable new and existing QRadar deployments to add storage and processing capacity on demand as required.
Configure your Network File System (NFS) storage. You can configure NFS for a stand-alone QRadar Console, new QRadar HA deployments, or existing QRadar HA deployments.
Configure your retention policies to define how long QRadar is required to keep event and flow data, and what to do when that data reaches a certain age.
Enable event coalescing (https://www.ibm.com/support/pages/qradar-how-does-coalescing-work-qradar) to improve performance, and reduce storage impacts, when a large burst of events is received that match a specific criteria.