Question & Answer
Question
When reference data is added, removed, or altered to a QRadar environment, how long does it take until the other hosts on the environment can see and use that data?
Cause
Reference data changes are not instant, but take some time due to how the console and managed hosts replicate data between themselves.
Answer
It can take up to 120 seconds for reference data to be visible to the managed hosts in a QRadar environment. However, in practice, the time taken can be less depending on when both the console and hosts aggregate and check for database changes.
Every 60 seconds, the console aggregates changes to the database from the managed hosts attached to it. It then applies these changes to itself and presents them to each of the managed hosts. Each managed host checks for these changes from the console every 60 seconds and apply them.
The result is that the amount of time taken for Reference data to be visible can vary from 0 - 120 seconds, depending on when the console presents the Reference Data updates to each host; and when each host looks for these changes from the console.
Replication can be verified by using the replicationVerify.pl script as documented here: QRadar: Validate the configuration database is sychnonized with replicationVerify.pl
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Version(s)","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
20 August 2020
UID
ibm16254379