Question & Answer
Question
Why are my searches not showing results or ending in error when one of the Event Processors or Data Nodes are not accessible (IO Error)?
Cause
In some instances, Ariel Viewers are not showing results when search is in progress and one of the Event Processors or Data Nodes is not accessible (IO Error) due to the appliance is offline or inaccessible to network traffic.
Answer
To resolve this issue, create a search without any of the appliances that are not responding to queries. First you should try a real time search which uses data that is not stored.
Procedure to Test an Event Processor or Data Node using a real time search:
- Log in to the QRadar user interface.
- Click Log Activity tab.
- Observe the events.
Results: There should be no errors.
Procedure to resolve Search not working with an Event Processor or Data Node for new search:
- Log in to the QRadar user interface.
- Click Log Activity tab.
- Create a search using filters Event Processor Equals Any of <value>
- From the drop down menu, add all known working Event Processors or Data Nodes.
- Click Add Filter.
- Add any of the other Criteria of you require for your search.
Procedure to resolve Search not working with an Event Processor or Data Node for saved search.
- Log in to the QRadar user interface.
- Click Log Activity tab.
- Click Search.
- Click New Search.
- From Saved Searches load your existing search.
- From Search parameters use filters Event Processor Equals Any of <value>
- From the drop down menu, select all known working Event Processors or Data Nodes.
- Click Filter.
Result: This should return data from working Event Processors or Data Nodes.
Where do you find more information?
Related Information
Was this topic helpful?
Document Information
Modified date:
16 June 2018
UID
swg21992023