IBM Support

QRadar Performance and what causes slow searches

Question & Answer


Question

What is a slow search?

Answer

A slow search happens when QRadar has to many files to read or values to return.

 

Why is a search slow

Event or Flow searching is limited by disk read rate on the Ariel Servers. If the search is targeting many files, this can increase the time for a search to be completed. The length of the search depends on the selected timeframe and the number of events you are receiving. Also, hardware resources are a factor. Larger servers allow more resources to search data. Heavily loaded servers can be slow to retrieve data.

Using too many Groups By columns in the same search can result in an excessive number of elements. This makes a search heavily resource-intensive on tomcat and can make a search last longer than expected. Searches that do not leverage indexes have to read through every piece of data to locate matches. As the index contains references to unique terms in the data and where the data is located, by using indexed properties to filter can make the searches better.


 

What other effects can cause a slow search

Running multiple searches at the same time results in competition for server resources affecting server performance. Even normally fast searches can be affected.

Running large searches, long timeframe searches (X number of days) without filtering the events can take a long time and can consume many server resources.

Not using filters on searches can return numerous not useful information and take time, so relying on filters can speed up results. And event better if these filters are based on indexed properties. 

Not having enough bandwidth between managed hosts and the Console, searches need a fast connection to send data to the console, For more information. See the IBM Documentation: Bandwidth Consideration for managed hosts.

How can I prevent my system to be affected by slow searches

The video on Searching Your QRadar Data Efficiently, helps to understand how to search faster and why you use filters and indexes. You can set resource restrictions for searches widely for QRadar to prevent long-running slow searches. For more information, see the IBM Documentation: Restrictions to prevent resource-intensive searches.

Rely on filters and indexed field to make the search faster, this decreases the amount of data searched through the servers. For more information, see the IBM Documentation: Searching Your QRadar Data Efficiently: Part 2 - Leveraging Indexed Values.

If my system is already slow, how can I know whether there is a long search running

  1. Log in to the QRadar Console as an admin user.
  2. Click the Log Activity tab.
  3. Click Search > Manage Search Results.
    image 10168
  4. Highlight the search to remove. 
    image 10323
  5. Click Cancel.
Results
The canceling of a long search gives resources back for other searches.  If the search does not cancel, you might need to perform a Deploy Full Configuration during a scheduled maintenance window.

Important: Deploy Full Configuration results in services being restarted. While services are restarting, event processing stops until services restart. Scheduled reports that are in-progress need to be manually restarted by users. Administrators with strict outage policies are advised to complete the next step during a scheduled maintenance window for their organization.
 
  1. Log in to the QRadar Ui as an admin user.
  2. Click the Admin tab
  3. Click Advanced > Deploy Full Configuration to clear all searches.
 

[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt8AAA","label":"Ariel"},{"code":"a8m0z000000cwtiAAA","label":"Performance"}],"ARM Case Number":"TS005041221","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]

Document Information

Modified date:
02 June 2021

UID

ibm16417093