Troubleshooting
Problem
Events that match filters for a custom Domain instead show up in the Default Domain.
Symptom
Events show up with a Low-Level Category of Stored, and in the Default Domain around the same time that Events routed directly to storage notifications are seen.
Errors such as the following are present in qradar.error on the Event Collector where the event was received.
Errors such as the following are present in qradar.error on the Event Collector where the event was received.
com.ibm.si.ec.filters.normalize.DSMFilter: [WARN] [NOT:0080004101][xxx.xxx.xxx.xxx/- -] [-/- -]Device Parsing has sent a total of 18603 event(s) directly to storage. 18603 event(s) have been sent in the last 60 seconds. Queue is at 99 percent capacity.
Document Location
Worldwide
[{"Line of Business":{"code":"LOB77","label":"Automation Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtEAAQ","label":"Log Activity"},{"code":"a8m0z000000cwtiAAA","label":"Performance"}],"ARM Case Number":"TS004116309","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]
Log InLog in to view more of this document
This document has the abstract of a technical article that is available to authorized users once you have logged on. Please use Log in button above to access the full document. After log in, if you do not have the right authorization for this document, there will be instructions on what to do next.
Was this topic helpful?
Document Information
Modified date:
17 September 2020
UID
ibm16333105