IBM Support

QRadar: Disable Custom Event Properties For Non-Existent Log Sources

Troubleshooting


Problem

Custom Event Properties are enabled by default. In some cases, users can require to disable Custom Event Properties that are not associated with a Log Source that is configured in the system.

Resolving The Problem

All Custom Event Properties are enabled by default. In some cases, some Custom Event Properties are related to non-existent or not configured Log Sources. Having these Custom Event Properties disabled if not used, can increase QRadar performance.

Before you begin: Before, considering disabling a Custom Event Property make sure that you will not use this Log Source Type at a future date. If you disable a Custom Event Property, you will no longer parse events for that Log Source Type if added later.
  1. Click Admin tab.
  2. Scroll down to Data Sources.
  3. Click Custom Event Properties.
  4. Order By the Log Source Type.

  5. Locate the Custom Event Properties with N/A in the Log Source Column. These are not currently assigned to a Log Source Type in the system.
  6. Highlight any Custom Event Property that you do not need and click Disable.


Results
The selected Custom Event Property is now disabled.
 

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.2.8;7.4.0;7.5.0"}]

Document Information

Modified date:
24 April 2024

UID

swg21989688