IBM Support

QRadar Incident Forensics: Search is failing as file exceeds size limit



An Incident Forensics search might fail while it is running.


When you mouse over the FAIL error you see the following message:

Actual file size (3234567890) exceeds maximum file size limit (2000000000)


This issue is caused by the default file size limit. The default file size is to make sure that you do not download too much data. However, it should be set to something that works with the environment.

Resolving The Problem

You can increase up the default file size limit in the QRadar Web User Interface.
  1. Log in as an administrator to QRadar.
  2. Click the Admin tab on the console.
  3. Click Server Management under the Forensics section.
  4. Increase the Maximum file download (MB): value under the Server Setting section.

  5. Click Save.
  6. Click Deploy Changes.

The Incident Forensics search finish without issues.

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSUK44","label":"IBM Security QRadar Incident Forensics"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]

Document Information

Modified date:
21 October 2022