IBM Support

QRadar: How to find an API search that is causing high system load in QRadar

How To


How to find API searches that are effecting performance in QRadar, when high system load has been identified by using


You can identify sources of high load by using the script, found in /opt/qradar/support/ and described in more detail here: QRadar: Using ThreadTop to determine QRadar process load
In some cases, you might notice high Msecs values appearing for ariel_proxy_server on a Console or ariel_query_server on a managed host. These services provide the ability for users to search for events, and sometimes the searches can be taxing on the system. In the case of the API, it is often easy to forget which user has run a search, and what the search is.
In the script, a system under high search load may return values similar to the example below. The "-p 7782" option limits to port 7782, which is the port typically used by the ariel services to run searches:
/opt/qradar/support/ -p 7782
Server             ID       Msecs   Name
-----------------  ------   ------  --------------------------------------------------------
7782               142      3278    qw_2:c0fc77bd-1f0e-43da-b6e4-400fc84273ec  <---ID of search
7782               118      2602    qw_4:e9028479-3114-44d7-af84-1b4c92a3fdef
7782               234      2432    qw_3:d9073218-29fb-4b27-bdfc-cf31a3f5e914
7782               162      2300    qw_1:dccd6fcf-e3ac-418f-b3b8-c6a19a22a78e
In the previous example, the 4 query writer (qw_*) threads are blocked up with 4 different searches. The search's ID is in the Name column.


One way of checking the search's status, query, duration, and other details is to use the QRadar Console API.
  1. Using, get the GUID of search that is running. For example: qw_2: c0fc77bd-1f0e-43da-b6e4-400fc84273ec
  2. Access the QRadar API by going to https://<QRadar hostname>/api_doc
  3. Using the panel on the left, navigate to ariel > searches > search_id.
  4. Scroll down to the "Parameters" section and locate the Parameter "search_id".image-20200226114058-1
  5. Enter the ID of the search into the search_id Value box. In this example: c0fc77bd-1f0e-43da-b6e4-400fc84273ec
  6. Click the "Try it Out!" button at the bottom of the page.
The page will show a set of new boxes, including information of your search. In this example the Response Body has the following information:
Response Body
cursor_id c0fc77bd-1f0e-43da-b6e4-400fc84273ec
status EXECUTE
compressed_data_file_count 0
compressed_data_total_size 0
data_file_count 82540
data_total_size 125953333700
index_file_count 4312
index_total_size 6195535220
processed_record_count 2
desired_retention_time_msec 86400000
progress 12
progress_details []
query_execution_time 4500073
query_string SELECT * FROM EVENTS WHERE INOFFENSE (10020) START '2020-01-01 01:00'
record_count 2
size_on_disk 0
save_results false
Note the query_string in the previous table, this is the query of the search running. There are other useful values here, such as the query_execution_time (how long has it been running for) and progress (rough estimate of progress, in percentage).

Document Location


[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.3.x","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
14 December 2020