Troubleshooting
Problem
Unable to remove Event Processor with a Data Node attached to it, when data rebalancing is in progress.
Symptom
A message is shown on the QRadar® GUI when an attempt to remove the Event Processor is made:
"The selected host currently has a data node rebalancing in its cluster. Cannot modify the host while this is occurring."
Cause
QRadar® doesn't allow addition or removal of Event Processors while data rebalancing is in progress.
Resolving The Problem
There are two options to proceed further:
- Wait for rebalancing to complete. To check rebalancing status, use the instructions provided here
- Stop the rebalancing manually by running this command on the Event Processor:
/opt/qradar/support/jmx.sh -p 7782 -b 'com.ibm.si.ariel:application=ariel.ariel_query_server,type=DCS,name=MasterTask-events' -o stop
After the command finishes, confirm on the user interface whether the rebalancing has stopped. If the rebalancing has stopped, you can attempt to remove the Event Processor again.
In some cases, even after you run the command, the status on the user interface does not reflect the stopped state of data rebalancing. In such cases:
- Stop the hostcontext and hostservices processes on Data Nodes in the group (all the data nodes attached to that Event Processor):
systemctl stop hostcontext systemctl stop hostservices - Run these commands to restart QRadar services on the Event Processor:
systemctl stop hostcontext systemctl restart hostservices systemctl start hostcontext - On the Event Processor, confirm all the processes are running:
/opt/qradar/upgrade/util/setup/upgrades/wait_for_start.sh - When the wait_for_start script indicates that all the underlying processes are running, restart the hostcontext and hostservices services on the Data Nodes:
systemctl start hostservices systemctl start hostcontext - On the Data Nodes, confirm all the processes are running:
/opt/qradar/upgrade/util/setup/upgrades/wait_for_start.sh - When all the services are up on both the Data Nodes and the Event Processor, run the command to stop the rebalancing again, on the Event Processor:
/opt/qradar/support/jmx.sh -p 7782 -b 'com.ibm.si.ariel:application=ariel.ariel_query_server,type=DCS,name=MasterTask-events' -o stop - Check the rebalancing status with the steps provided here. When the rebalancing stops, proceed to delete the Event Processor.
NOTE:
- An Event Processor with associated Data Nodes cannot be removed from a deployment until the Data Nodes are removed first.
- Removing a Data Node from a deployment does not copy that data back to the Event Processor. If a Data Node is removed, the data on that node is no longer available for searches.
Document Location
Worldwide
[{"Type":"SW","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtNAAQ","label":"Deployment"}],"ARM Case Number":"TS005120522","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]
Product Synonym
Qradar, Data Node, Event Processor
Was this topic helpful?
Document Information
Modified date:
22 July 2022
UID
ibm16444821