Why do Ariel Charts show activity at the end when there are no events?

Question & Answer

Question

Using the QRadar Search functionality, why do Ariel Charts show activity at the end of charts when there are no incoming events? In Log Activity, one might see a peak at the end of a chart even if there are no events matching that time period.

Cause

The final "peak" or "data point" on the chart is the average results of the other data points on the chart.

Chart data is accumulated once per interval, but at the final data point accumulation is not yet complete. Instead, the final point is "guessed" by taking the average all previous data points, and placing that value at the end of the graph.

For example, if there are 75 minutes (and 75 data points); the search retrieves the accumulated values for the first 74 data points and adds them to the chart.

The final data point, minute 75 is not yet calculated, so the average EPS of the previous 74 data points is displayed. A small peak can appear even if there are no events, as it's showing the average of all previous values.

An example chart showing the behaviour:

The final data point at 11:03 is the average value of the rest of the chart's values.

Note:

Chart A shows flowing EPS. If the chart assumed 0, it would look like events were dropped or collection stopped

Chart B shows constant 0 EPS. The final point is showing as 0.

Chart C shows the peak at the end occurring. The final data point is taken as the average of the previous accumulated data points.

Answer

The application is working as designed. The graph is part of a general overview of the data, and might not reflect the event load of the system precisely. An average value is calculated for the end of the graph so the user is not given the impression that event collection suddenly failed. (it would show 0, and a sudden drop at the last data point).

For more information about event rate graphs, refer to this link:

QRadar: Event Rate (EPS) graph may not reflect the entire event load on the system

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"ariel chart","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.3.x","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Product Synonym

QRadar; QRadar SIEM

Was this topic helpful?

Document Information

Modified date:
21 February 2020

UID

ibm12495199

Tips