IBM Support

Why are there gaps in the EPS chart - has QRadar missed payloads/logs - [ERROR] ErrorStream

How To


In the event of a loss of connection between the QRadar console and one or more managed hosts, the issue is automatically repaired by QRadar, however during this time, system dashboards may not be representative of actual incoming traffic.


To create a rule that notifies a user when networking issues occur so that gaps in charts can be identified as false positive alarms and safely ignored.


The Log Activity tab displays not just incoming events but it can also display the contents of qradar.log in the form of events from the System-Notification-2 log source. This can be used to identify back-end events for which there is no notification in the UI.

For example – a Java™ messaging service (JMS) tunnel between the Event Collector (EC) and the Console has shut down with an error. The dashboard is displaying what looks like a gap in the traffic. But actually, the EC is still sending events to the console – it is the Accumulator which is not aware of the number of events which are received by the Console. So, the graph is not a true reflection of incoming traffic in this case.

The Accumulator, which is responsible for charts, is a centralized process that gathers statistical data from local console logs. While an issue of this nature is ongoing, the Accumulator may be dealing with inaccurate information from the logs.

This can be indicated by an event with description:

[hostcontext.hostcontext] ComponentOutput: [ERROR] ErrorStream tunnel.<tunnel_ID>: Job for tunnel@<tunnelID> because the control process exited with error code.

Open (one of) the event(s) to investigate the details and click on the Extract Properties button.

In the "Test Field" section of the Extract Properties window, highlight the string "tunnel@<tunnelID> service failed" . Write a regular expression to match this string and test it – when successful QRadar highlights the matching text in yellow. Give the property a name and save it.

Next, create a new event rule with the test “when this property equals this property”.


For the first property select “Payload” and for the second property select the CEP that was  created above. So, it looks like: “and when Payload equals <CEP_Name>”.

Select a rule response in accordance with your use case.

Document Location


[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwstAAA","label":"Accumulator"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.3.0;7.4.0","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
31 August 2020