Troubleshooting
Problem
QRadar continues to process specific events after configured a routing rule to drop them, based on EventIDs.
Symptom
- No errors were seen during the configuration process.
- No errors seen in the internal logs; qradar.log and qradar.error.
- You will need to check the routing rule filter. In this example, the configuration is incorrect; as you will see, the EventIDs are separated by commas(,):
Event ID is any of 5152, 5153, 5154, 5155, 5156, 5157, 5158
Cause
The cause of the issue is the way the Event IDs are entered into the routing rule filter. If you enter and add all of the EventIDs simultaneously, QRadar will recognize the whole entry as one Event ID and fail to drop the intended events.
Resolving The Problem
The incorrect process is to enter the ID's in one line, for example:
This is how the filter looks when you add all the EventIDs at the same time:
Note: Here QRadar understands that the EventID is "5152, 5153, 5154, 5155".
The correct process is to add the ID's one by one:
To verify you can check the filter added after you entered them in one by one, you will see that the filter lists all the EventIDs with "OR" in-between them.
For Example:
Document Location
Worldwide
[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSFSVP","label":"IBM QRadar Network Security"},"ARM Category":[{"code":"a8m0z000000cwtJAAQ","label":"QRadar Network Insights"}],"ARM Case Number":"TS004978002","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]
Was this topic helpful?
Document Information
Modified date:
09 March 2021
UID
ibm16415629