IBM Support

QRadar: Limitations of using the script with content that is deleted from the source system but is present in the target

Question & Answer


Administrators use the script to move content between systems. What limitation does the script have with regards to content that is deleted in the source system but is still present in the target system?


The script is used to export content from one IBM® QRadar® deployment and then import it into another deployment. While the export option is used to export content from a source QRadar system, the import and update options are used to import or update content on the target QRadar system. When the export option is used, it creates a file which has all the content from the source system. This file is then copied over to the target system and the script is run by using either the import or update options.
The script is not designed to be a full-fledged synchronization tool. Rather, it is a simple backup and restore tool with an added update functionality. It does not have the capability to delete any content on the target system. The update option is designed to make changes to content that is present in both, the backup and the target system. It does not delete content that is not present in the backup but is present in the target system.
For example, consider the following scenario:
  • A QRadar source system has two rules called Rule A and Rule B (refer to the diagram)
  • The script is used to export content on the source system and the content is then imported into the target system
image 6306
  • The administrator then deletes Rule A  and updates Rule B on the source system (refer to the diagram)
  • The script is again used to export content from the source system - note that the content export does not contain Rule A and has an updated copy of Rule B.
  • The content export is then imported into the target system using the update option.
image 6307
Post the content import, Rule A still exists on the target system and, Rule B is updated.
Note: Rule A does not get deleted even though it does not exist in the content export.

[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"TS003876205","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Version(s)"}]

Document Information

Modified date:
29 September 2020