Question & Answer
Question
What are some common messages and errors from the QRadar flow pipeline?
Cause
The QRadar flow pipeline has a set of descriptive error messages that can indicate possible network and performance issues. Below is a list of the common messages and their possible causes, and what to look for to verify these issues.
Answer
QFlow - no flows being generated
The QFlow flow collector will generate flow data from raw packets collected on monitor ports (from spans, taps and monitor sessions), or external flow sources such as netflow, sflow, jflow, etc. This data is then converted to QRadar flow format and sent down the pipeline for processing.
Sep 7 13:03:54 qradar [16636] qflow0: [INFO] : Interval 1283878560: 0 flows (0 bundles (0), 0 NP, 0 CO, 0 OF) 0 bytes, 0 packets
Sep 7 13:04:54 qradar [16636] qflow0: [INFO] : Interval 1283878620: 0 flows (0 bundles (0), 0 NP, 0 CO, 0 OF) 0 bytes, 0 packets
Resolution for versions 7.1 through 7.2.6
If your qflow process is not generating any flow data , you should check your data sources using tcpdump and router configurations, to verify if data is being collected. You should also check the "Flow Sources" configuration in the Admin tab in QRadar to verify that you have properly setup your flow sources.
(see example)
_____________________________________________________
Resolution
When this occurs and you determine that this qflow process is not going to receive any data, you should remove this process from your deployment editor.
(see example)
If there should indeed be data coming in from that particular qflow process, review the resolution steps above in the qflow component.
Where do you find more information?
Related Information
Historical Number
1247
Was this topic helpful?
Document Information
Modified date:
16 June 2018
UID
swg21622511