IBM Support

QRadar: Overflow records in Network Activity

Question & Answer


I am seeing flows created for a flow type labeled 'overflow'. What are these and why are they generated?


An overflow record is created when the number of flows captured exceeds the licensed limit of the QFlow component.


There is one overflow record created for each protocol seen after the license or governor limit is exceeded. These records can be easily identified as they always have a source IP address of and a destination IP address of

For example, the license limit on the QFlow Collector is 100,000 flows. During a peak period, the QFlow appliance captures 120,000 flows for the interval (minute). The excess 20,000 flows is not parsed, but instead an overflow record is created for each protocol seen in the 20,000 flows to capture packet and byte information. In essence, the overflow record is a summary of the flow by protocol after the license limit is exceeded for the interval. The other information that would normally be normalized like source or destinations, ports, and a payload capture are not collected and stored.

To view the license limit for your QRadar appliance, administrators can review licenses by clicking the Admin tab > System and License Management icon.


[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"Flows","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions","Edition":"All Editions","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
25 July 2022