Troubleshooting the IBM Security QRadar Suite KQL Plugin

Use the following information to troubleshoot your IBM® Security QRadar® Suite KQL Plugin.

Important: If you are unable to resolve an issue with your IBM Security QRadar Suite KQL Plugin, Grafana dashboards, Grafana dashboard panels, or KQL query, contact Customer Support (www.ibm.com/support/).

Quality of service (QoS)

The QRadar Suite Storage Data Access Service API has three QoS components:
  • query status = QUEUED
  • query caching
  • query rate limiter

Feature flags in a QRadar Suite deployment control the QoS components. The IBM Security QRadar Suite KQL Plugin timeout configuration can be used to optimise dashboard performance with QoS.

Troubleshooting data source errors

Table 1. Common data source issues and response codes
Code Error message Issue Solution
400 check your host url The host cannot be contacted because the host address or port number is incorrect.
  1. In your Grafana instance, from the navigation menu, click Administration > Data Sources.
  2. On the Data sources page, select the QRadar Suite KQL Plugin data source from the table.
  3. In the Host field, enter your QRadar Suite cluster URL.
  4. Click Save & Test.
401 check your API Key, API Secret or Account ID The information in your API Key or Account ID field is incorrect or missing.
  1. In your Grafana instance, from the navigation menu, click Administration > Data Sources.
  2. On the Data sources page, select the QRadar Suite KQL Plugin data source from the table.
  3. In the API Key field, enter your QRadar Suite Grafana user API Key.
  4. In the Account ID field, enter your QRadar Suite account ID.
  5. Click Save & Test.
  storage data access service unavailable This error message indicates an issue with your QRadar Suite environment. Contact your IBM system administrator.
  qradar suite database unavailable This error message indicates an issue with your QRadar Suite environment. Contact your IBM system administrator.

Troubleshooting query errors

Table 2. Common KQL query issues and response codes
Error message Issue
STORAGE_DAS_ERROR:3000 Invalid Syntax

STORAGE_DAS_ERROR:3010 Invalid Syntax

Your KQL query syntax contains an error near the keyword.
STORAGE_DAS_ERROR:5000 Invalid Table The table that is referenced in your KQL query does not exist.
STORAGE_DAS_ERROR:4000 Missing Column The column that is referenced in your KQL query does not exist.
STORAGE_DAS_ERROR:2000 Number of arguments does not match

STORAGE_DAS_ERROR:2010 Too few arguments for function

STORAGE_DAS_ERROR:2020 Too many arguments for function

A function in your KQL query contains an incorrect number of arguments.
STORAGE_DAS_ERROR:7000 Invalid data type Your KQL query contains an invalid cast type on an argument.
STORAGE_DAS_ERROR:8000 Unknown function Your KQL query contains a function that is not supported.
your KQL query returned an empty result set No data is returned in the specified time frame.
kql query syntax error Your KQL query is invalid.
Time series queries must retrieve at least one datetime field named time and one numeric field. Returning table format instead. Your KQL query is missing the time field.
To resolve these issues, you must correct your KQL query. To edit your query, follow these steps:
  1. In your Grafana instance, from the navigation menu, click Dashboards.
  2. On the Dashboards page, click the relevant dashboard.
  3. On the panel that you want to edit, click the Menu icon (Menu icon), and then click Edit.
  4. Edit your query, and then click Save.
  5. In the Save dashboard panel, enter a description of your changes, and then click Save.
Important: The  storage data access service unavailable  and  qradar suite database unavailable  data source error messages are also displayed in the dashboard query editor. These error messages indicate an issue with your QRadar Suite environment. To resolve these issues, contact your IBM system administrator.

For more information about KQL queries, see Kusto Query Language (KQL) overview.

Enabling Grafana logging

All plugin log entries are DEBUG level. To provide more details during troubleshooting, enable Grafana DEBUG level logging in the configuration settings.

  1. To open the grafana.ini file, run the following command:
    vi /etc/grafana/grafana.ini 
  2. In the grafana.ini file, in the plugins configuration section, update the following line:
    #################################### Logging ##########################
    [log]
    ;level=
    with the following entry:
    #################################### Logging ##########################
    [log]
    level=debug
  3. To restart Grafana and apply the changes, run the following command:
    sudo /bin/systemctl restart grafana-server.service

Time Zone

To ensure that your dashboards return accurate results, the dashboard time zone must match the QRadar Suite instance time zone.

  1. From the navigation menu, click the Dashboards icon (Grafana Dashboards icon).
  2. On the Dashboards page, click the dashboard that you want to edit.
  3. Click the Dashboard settings icon (Dashboard settings icon).
  4. In General > Time options, set the dashboard time zone to match the QRadar Suite instance time zone.
  5. To save your dashboard, click Save dashboard.