IBM Support

QRadar: Why are Multiple Datanodes joined to an Event Processor not using the same amount of storage?

Question & Answer


Why are my Data Nodes not utilizing the same percentage of storage?


  1. Log in to the QRadar User Interface
  2. Click Admin tab > System and License Management
  3. Click an Event Processor that has Datanodes attached.
  4. Click Actions > View and Manage Systems.
  5. Use the Security Data Distribution tab to check on the status of the Datanodes balance.

Results: You might not necessarily see all of the Datanodes utilizing the same storage. This is to be expected.


How we can interpret the load balance, considering that DN01 and DN02 have nearly the same usage, and DN03 has another 18%.

  1. The scattering algorithms that QRadar uses are biased towards a particular Datanode Appliance that has more storage available. If you were to power off a Datanode for maintenance, when the Appliance is brought back online, the scattering algorithm would kick in and route more data towards that Appliance if has more available space. There is no data rebalance process that occurs under this scenario.
  2. As time progresses and the storage becomes less on other Datanodes, the scattering algorithm will evenly balance data over all Datanodes.
  3. EP01, DN01, and DN02 were all added on the same day. DN03 was added much later on. There is an initial rebalance that occurs when adding DN03 and then the scattering algorithm will be enforced over time. While the initial balance is occurring on DN03, there might be an extended outage on DN01 and DN02. This accounts for the high usage on DN03.
Results: While the usage is not one-to-one, the Scattering Algorithm will eventually balance off the Datanodes as the utilization increases. This is working as designed and should not be a point of concern.

Where do you find more information?

[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"General Information","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.2;7.3","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
16 June 2018