IBM Support

QRadar: Search is not working when an Event Processor or Data Node is down.

Question & Answer


Question

Why are my searches not showing results or ending in error when one of the Event Processors or Data Nodes are not accessible (IO Error)?

Cause

In some instances, Ariel Viewers are not showing results when search is in progress and one of the Event Processors or Data Nodes is not accessible (IO Error) due to the appliance is offline or inaccessible to network traffic.

Answer

To resolve this issue, create a search without any of the appliances that are not responding to queries. First you should try a real time search which uses data that is not stored.

Procedure to Test an Event Processor or Data Node using a real time search:

  1. Log in to the QRadar user interface.
  2. Click Log Activity tab.
  3. Observe the events.

Results: There should be no errors.

Procedure to resolve Search not working with an Event Processor or Data Node for new search:
  1. Log in to the QRadar user interface.
  2. Click Log Activity tab.
  3. Create a search using filters Event Processor Equals Any of <value>
  4. From the drop down menu, add all known working Event Processors or Data Nodes.
  5. Click Add Filter.
  6. Add any of the other Criteria of you require for your search.

Procedure to resolve Search not working with an Event Processor or Data Node for saved search.
  1. Log in to the QRadar user interface.
  2. Click Log Activity tab.
  3. Click Search.
  4. Click New Search.
  5. From Saved Searches load your existing search.
  6. From Search parameters use filters Event Processor Equals Any of <value>
  7. From the drop down menu, select all known working Event Processors or Data Nodes.

  8. Click Filter.

Result: This should return data from working Event Processors or Data Nodes.



Where do you find more information?





[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Log Activity","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.2","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
16 June 2018

UID

swg21992023