IBM Support

QRadar: Troubleshooting missing graph data in the QRadar Deployment Intelligence (QDI) application

Troubleshooting


Problem

Charts are not populating in the QDI app and EPS values are not showing correctly in the dashboards.

Cause

A common cause is that the Health Metric data isn't either received or parsed correctly to be used by the QDI app or the dashboards.

Diagnosing The Problem

If you have ruled out issues described in technote: QRadar: Troubleshooting graph data in the QRadar Deployment Intelligence (QDI) application, and the issue still persists, proceed with the next steps:

  1. From the Log Source Management app, check if any noninternal log sources name has the loopback address 127.0.0.1 in the log source name or in the Log Source Identifier. If you find any log sources with this IP, it might be the cause of the issue, so the solution is to delete, disable, or correct them.
    Image: Example of unwanted log sources from Log Source Management app, filtered for not internal log sources, and keyword "127.0.0.1".
    image-20220623104923-1
  2. Inversely, check if any internal log sources do not have a loopback IP as the hostname (in Postgres) or as Log Source Identifier, excluding Custom Rule Engine and SIM Generic log sources.
    Image: Log Source Management app, filtered for Internal log sources
    image-20220513131043-1

Resolving The Problem

Incorrect Log source, example of an incorrect hostname

psql -U qradar -c "SELECT id, devicename FROM sensordevice WHERE hostname = '127.0.0.1'"

id  |       devicename   |
-------+------------------------+-
 12427 | Linux OS events @ 127.0.0.1 |
(1 row)
Resolution: Delete the log source from LSM app.
 

Incorrect hostname on internal Log source

psql -U qradar -x -c "SELECT id, hostname, devicename, devicedescription FROM sensordevice WHERE devicename ilike '%health%';"

id |   hostname   |                      devicename         | devicedescription |
69 | 10.116.62.52 | Health Metrics-2 :: console-007-primary | Health Metrics
(1 row)
Warning - the resolution contains a manual table update. Do not run the update query unless you have a backup of the table. If you are unsure or if you have trouble with the command in step 3, raise a Support Case with IBM QRadar Support.

Resolution:
  1. Create a backup directory.
  2. Take a backup of the table.
  3. Update the hostname value in Postgres. The id value (69) is taken from the output of the previous Select-query.
mkdir -pv /store/LOGS/ibm_support
pg_dump -U qradar -t sensordevice -f /store/LOGS/ibm_support/sensordevice-$(date +%Y-%m-%d).sql
psql -U qradar -c "UPDATE sensordevice SET hostname='127.0.0.1' WHERE id=69"

Document Location

Worldwide

[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt0AAA","label":"Log Source"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions","Type":"MASTER"}]

Document Information

Modified date:
29 June 2022

UID

ibm16557434

Page Feedback