IBM Support

QRadar: How to identify why Reference Sets are stopping tomcat

How To


Summary

The purpose of this article is to help the user determine what Reference Sets are over 400K. Any reference set over this value causes conflicts and does not load the reference set properly.

Environment

Users affected by this issue can see these errors when they navigate to Admin tab > Reference Sets, or when they use the Reference Set App:
 
image 10656
image 10658

Steps

This issue is caused when the Reference Sets are over 400K. In order to fix the issues, use this procedure on the QRadar Console:
  1. Use SSH to log in to the console as root user.
  2. To identify which Reference Sets are over 400K, type the following command: 
    ​psql -U qradar -c "select id,name,time_to_live,current_count from reference_data where current_count > 400000 order by current_count desc;"
  3. If you want to expedite resolving the problem with reference sets loading and you have the approval to delete the reference data information, run the following command on the console for each reference set bigger than 400K: 
    ​/opt/qradar/bin/ReferenceDataUtil.sh purgeall <Reference Set Name>
  4. Then, set the TTL (Time to Live) to 1 day. It is important because it helps the system to purge the data automatically: 
    /opt/qradar/bin/ReferenceDataUtil.sh update <Reference Set Name> -timeoutType=FIRST_SEEN -timeToLive='1 day'{}

Results
It depends on the number of reference sets you have and how much information they contain. After these commands are run, you need to wait around two hours to open the Reference Sets and see an improvement.

If you still see any issues related to the reference sets, contact IBM support.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"TS005648422","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]

Document Information

Modified date:
09 February 2023

UID

ibm16465515

Page Feedback