Troubleshooting
Problem
If you are unable to see Health Metric events in the Log Activity tab due to issues with Health Metrics Custom Event Properties.
Cause
If Custom Health Metrics Event Properties are not correctly set up, this might result in missing QRadar Health Metric events.
Diagnosing The Problem
Verifying the issue
To verify this issue, start by running a search in the Log Activity tab of QRadar.
Custom properties required to parse health metric events
To check the custom event properties, go to Admin > Data Sources > Custom Event Properties. There are seven Custom Event Properties for Health Metric Log Source Types:
Use the Search functionality to search for each of the Custom Event Property names and verify that they exist and that they are unique. Also, verify their Log Source Type is set as Health Metrics. After you verified that they are unique and their Log Source Type is set correctly, you can use the Search functionality to view them together by searching for Health Metrics. When the Log Source Type values are all set correctly, the resulting search result should look like the picture below:
Compare the remaining values (Type, Event Name, Expression, Username, Enabled) to make sure they all match the example listed above.
To verify this issue, start by running a search in the Log Activity tab of QRadar.
- Log in to the QRadar Console.
- Click the Log Activity tab.
- Click Add Filter.
- From the drop-down options, select Log Source [Indexed], Equals, and Health Metrics-2 :: hostname
- Click Add Filter.
- Click View and select a timeframe of 15 minutes.
Results
If no results are returned when the search completes, then the administrator should ensure that the custom properties exist that the Health Metrics-2 DSM requires.
Custom properties required to parse health metric events
To check the custom event properties, go to Admin > Data Sources > Custom Event Properties. There are seven Custom Event Properties for Health Metric Log Source Types:
Component Name
Component Type
Deployment ID
Element
Hostname
Metric ID
Value
Use the Search functionality to search for each of the Custom Event Property names and verify that they exist and that they are unique. Also, verify their Log Source Type is set as Health Metrics. After you verified that they are unique and their Log Source Type is set correctly, you can use the Search functionality to view them together by searching for Health Metrics. When the Log Source Type values are all set correctly, the resulting search result should look like the picture below:
Compare the remaining values (Type, Event Name, Expression, Username, Enabled) to make sure they all match the example listed above.
Resolving The Problem
If you identified any issues when running the checks described in the Diagnosing the Problem Section, you can perform any of the following actions as needed:
Missing Property
If you identified one or more Custom Event Properties as missing, you can use the Add button to recreate it. The correct values for the required fields should match the example in the previous section and are as follows:
Duplicate Property
If you have identified duplicates, delete them by selecting from the Custom Event Properties list and clicking the Delete button. You might still have to edit the remaining Custom Event Property.
Erroneous Field
If you have identified an error with any of the fields for one or more Custom Event Properties, click the Edit button to correct the erroneous field. Use the correct values are listed above to change the erroneous value.
Missing Property
If you identified one or more Custom Event Properties as missing, you can use the Add button to recreate it. The correct values for the required fields should match the example in the previous section and are as follows:
Property Type:
Property Definition: Any of the Property Names listed.
Optimize parsing for rules, reports, and searched: Checked
Field Type:
Log Source: All, Event Name, Use the Browse button and search for
Extraction Regex: This field should have the value listed under the Expression column in the Custom Event Properties list. Each Custom Event Property has a unique value. The correct values for each of them are as follows:
Regex
Property Definition: Any of the Property Names listed.
Optimize parsing for rules, reports, and searched: Checked
Field Type:
AlphaNumeric (Note: for the Value property, choose Numeric)
Enabled: Checked
Log Source Type: Health Metrics
Log Source: All, Event Name, Use the Browse button and search for
Health Metrics
which has QID 940000001
Extraction Regex: This field should have the value listed under the Expression column in the Custom Event Properties list. Each Custom Event Property has a unique value. The correct values for each of them are as follows:
Component Name:
ComponentName=(\S+)
Component Type:
ComponentType=(\S+)
Deployment ID:
DeploymentID=(\S+)
Element:
Element=(\S+)
Hostname:
HostName=(\S+)
Metric ID:
MetricID=(\S+)
Value:
Value=(\S+)
If you have identified duplicates, delete them by selecting from the Custom Event Properties list and clicking the Delete button. You might still have to edit the remaining Custom Event Property.
Erroneous Field
If you have identified an error with any of the fields for one or more Custom Event Properties, click the Edit button to correct the erroneous field. Use the correct values are listed above to change the erroneous value.
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
24 April 2024
UID
swg21986546