IBM Support

QRadar: Missing Health Metric Events



If you are unable to see Health Metric events in the Log Activity tab due to issues with Health Metrics Custom Event Properties.


If Custom Health Metrics Event Properties are not correctly set up, this might result in missing QRadar Health Metric events.

Diagnosing The Problem

Verifying the issue
To verify this issue, start by running a search in the Log Activity tab of QRadar.
  1. Log in to the QRadar Console.
  2. Click the Log Activity tab.
  3. Click Add Filter.
  4. From the drop-down options, select Log Source [Indexed], Equals, and Health Metrics-2 :: hostname
  5. Click Add Filter.
  6. Click View and select a timeframe of 15 minutes.

    If no results are returned when the search completes, then the administrator should ensure that the custom properties exist that the Health Metrics-2 DSM requires.

Custom properties required to parse health metric events
To check the custom event properties, go to Admin > Data Sources > Custom Event Properties. There are seven Custom Event Properties for Health Metric Log Source Types:
  • Component Name
  • Component Type
  • Deployment ID
  • Element
  • Hostname
  • Metric ID
  • Value

Use the Search functionality to search for each of the Custom Event Property names and verify that they exist and that they are unique. Also, verify their Log Source Type is set as Health Metrics. After you verified that they are unique and their Log Source Type is set correctly, you can use the Search functionality to view them together by searching for Health Metrics. When the Log Source Type values are all set correctly, the resulting search result should look like the picture below:

Compare the remaining values (Type, Event Name, Expression, Username, Enabled) to make sure they all match the example listed above.

Resolving The Problem

If you identified any issues when running the checks described in the Diagnosing the Problem Section, you can perform any of the following actions as needed:

Missing Property

If you identified one or more Custom Event Properties as missing, you can use the Add button to recreate it. The correct values for the required fields should match the example in the previous section and are as follows:
Property Type: Regex
Property Definition: Any of the Property Names listed.
Optimize parsing for rules, reports, and searched: Checked
Field Type: AlphaNumeric (Note: for the Value property, choose Numeric)
Enabled: Checked
Log Source Type: Health Metrics
Log Source: All, Event Name, Use the Browse button and search for Health Metrics which has QID 940000001
Extraction Regex: This field should have the value listed under the Expression column in the Custom Event Properties list. Each Custom Event Property has a unique value. The correct values for each of them are as follows:
Component Name: ComponentName=(\S+)
Component Type: ComponentType=(\S+)
Deployment ID: DeploymentID=(\S+)
Element: Element=(\S+)
Hostname: HostName=(\S+)
Metric ID: MetricID=(\S+)
Value: Value=(\S+)
Duplicate Property
If you have identified duplicates, delete them by selecting from the Custom Event Properties list and clicking the Delete button. You might still have to edit the remaining Custom Event Property.

Erroneous Field
If you have identified an error with any of the fields for one or more Custom Event Properties, click the Edit button to correct the erroneous field. Use the correct values are listed above to change the erroneous value.


[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]

Document Information

Modified date:
24 April 2024