Troubleshooting the IBM Security QRadar Suite KQL Plugin
Use the following information to troubleshoot your IBM® Security QRadar® Suite KQL Plugin.
Quality of service (QoS)
- query status = QUEUED
- query caching
- query rate limiter
Feature flags in a QRadar Suite deployment control the QoS components. The IBM Security QRadar Suite KQL Plugin timeout configuration can be used to optimise dashboard performance with QoS.
Troubleshooting data source errors
Code | Error message | Issue | Solution |
---|---|---|---|
400 | check your host url | The host cannot be contacted because the host address or port number is incorrect. |
|
401 | check your API Key, API Secret or Account ID | The information in your API Key or Account ID field is incorrect or missing. |
|
storage data access service unavailable | This error message indicates an issue with your QRadar Suite environment. | Contact your IBM system administrator. | |
qradar suite database unavailable | This error message indicates an issue with your QRadar Suite environment. | Contact your IBM system administrator. |
Troubleshooting query errors
Error message | Issue |
---|---|
STORAGE_DAS_ERROR:3000 Invalid Syntax STORAGE_DAS_ERROR:3010 Invalid Syntax |
Your KQL query syntax contains an error near the keyword. |
STORAGE_DAS_ERROR:5000 Invalid Table | The table that is referenced in your KQL query does not exist. |
STORAGE_DAS_ERROR:4000 Missing Column | The column that is referenced in your KQL query does not exist. |
STORAGE_DAS_ERROR:2000 Number of arguments does not
match STORAGE_DAS_ERROR:2010 Too few arguments for function STORAGE_DAS_ERROR:2020 Too many arguments for function |
A function in your KQL query contains an incorrect number of arguments. |
STORAGE_DAS_ERROR:7000 Invalid data type | Your KQL query contains an invalid cast type on an argument. |
STORAGE_DAS_ERROR:8000 Unknown function | Your KQL query contains a function that is not supported. |
your KQL query returned an empty result set | No data is returned in the specified time frame. |
kql query syntax error | Your KQL query is invalid. |
Time series queries must retrieve at least one datetime field named time and one numeric field. Returning table format instead. | Your KQL query is missing the time field. |
- In your Grafana instance, from the navigation menu, click Dashboards.
- On the Dashboards page, click the relevant dashboard.
- On the panel that you want to edit, click the
Menu icon (
), and then click Edit.
- Edit your query, and then click Save.
- In the Save dashboard panel, enter a description of your changes, and then click Save.
For more information about KQL queries, see Kusto Query Language (KQL) overview.
Enabling Grafana logging
All plugin log entries are DEBUG level. To provide more details during troubleshooting, enable Grafana DEBUG level logging in the configuration settings.
- To open the grafana.ini file, run the following
command:
vi /etc/grafana/grafana.ini
- In the grafana.ini file, in the plugins configuration
section, update the following
line:
with the following entry:#################################### Logging ########################## [log] ;level=
#################################### Logging ########################## [log] level=debug
- To restart Grafana and apply the changes, run
the following command:
sudo /bin/systemctl restart grafana-server.service
Time Zone
To ensure that your dashboards return accurate results, the dashboard time zone must match the QRadar Suite instance time zone.
- From the navigation menu, click the Dashboards icon (
).
- On the Dashboards page, click the dashboard that you want to edit.
- Click the Dashboard settings icon (
).
- In General > Time options, set the dashboard time zone to match the QRadar Suite instance time zone.
- To save your dashboard, click Save dashboard.