IBM Support

QRadar: A user is missing Quick Searches in the Log Activity window

Troubleshooting


Problem

A user can't select any saved search from the Quick Searches drop-down menu, the list is empty.

Symptom

The list under Quick Searches is empty for an affected user.

Cause

The arielSearches or dashboardSearches templates are missing for an affected user.

Resolving The Problem

Important: This procedure involves restarting the Web Server service (Tomcat), which causes a disruption to accessing the GUI, and any user sessions on the GUI are disconnected during the restart. You might need to schedule a maintenance window for a restart, if unsure, check with your QRadar admin team.

  1. Stop the Tomcat service
    systemctl stop tomcat
  2. Open directory to view user configuration
    cd /store/users/;ls -lsa
  3. Backup the affected user's current configuration. Substitute "user1" with your affected user.
    cp -v /store/users/user1/data.conf /store/users/user1/data.conf.old
  4. Confirm that there are no arielSearches or dashboardSearches already configured (remove by manually editing the file in vi or vim if necessary):
    grep "arielSearches" /store/users/user1/data.conf
    grep "dashboardSearches" /store/users/user1/data.conf
  5. To see the "admin" user configuration, you can use the previous grep command on the admin/data.conf file.

    Example output:

    [root@qradar ~]# grep "arielSearches" /store/users/admin/data.conf
    arielSearches.events=SYSTEM-46,58fbb7a2-b193-482b-bd5a-40e572f203f7,b35c8bba-e645-477f-8ee4-0dfd3d5165c5,SYSTEM-13,SYSTEM-49,SYSTEM-47,SYSTEM-48,e8a78a39-5560-4206-9c8c-6e348b867f31,DEFAULT-11,fd1d8b6d-c6b3-4a48-b90e-464d49db017e,726125ab-10d9-420d-ad08-1e2e255eae83,0af343b1-c856-4744-9567-4805880c0776,DEFAULT-12,e4629b2a-fcb0-4687-baa2-9d09b00668af,da80e139-bbeb-4d3b-8182-6e5a21e182a3,a0044158-61ea-4d65-9354-24e64c4ef277,e4668ef0-d628-4d28-90fd-64e35c18fe1a,5b490b12-1cf6-43f1-adfd-5172eae0c379,ea086de0-65ee-4960-86ea-133e68483172,b7d4479d-f886-47d0-8c23-0941850913fa,6acb65c6-a02f-40d0-8514-28f97c7ef1e9,DEFAULT-5,DEFAULT-7,843cdf57-ce35-475a-ad3d-73221e15c2c1,0d3cc801-52c3-4dbd-a43c-320cca195adc,1063430b-8c3c-41fb-984c-50550537a88a,7526e088-860e-4400-816e-e941837afd8e,83ec8164-6e0d-4f71-87da-2e86936d056b,5cf59874-edea-42ad-b845-ce4bdbe1abc8,6fc8e880-3d7c-44e8-98f7-883672fcd28c,12381bd2-f27f-4b45-9669-0db8043883e5,78d6a762-8480-4494-bc20-10540d4cc580,4a7d14b2-7c9a-4ea4-8e1a-db2d167cd37b,b233182f-b32d-4294-9b01-b1989fc18401,1319242b-615f-4976-829f-6fd62f735cc7,SYSTEM-DLP-35,SYSTEM-17,SYSTEM-16,DEFAULT-1,ecbff5ae-d9de-4fbf-a76b-f59d40744437
    arielSearches.flows=ed30e868-c726-4f40-a4c4-525931f63014,7864efb1-9fa3-461c-adfc-5bb4c44163cc,5f1fac19-9d38-4cc0-ad73-1dd2a0c2663c,0fe9b644-2660-4465-a2a5-ccaf7c167b1f,599c01f0-b8f8-4143-8e62-ba79f16d937d,81e5d75d-924d-4d72-97e9-a2096fa5e784,dc3906a8-c380-477f-ad01-e96b1e900d6d,f889a382-182b-4252-814b-b9128bf02cd2,6f2e9965-7d5f-423b-975e-5d92176c99a2,1fc0c21a-8e6a-4f58-9c77-8fc534691d82,ba619aed-70cc-4eeb-ba23-452ceb81b72a,2c7800c3-a5a0-47f4-92c7-f0c0e3a42708,2f3c3af5-f76f-4d15-9a8d-c154a1e15772,91c512fb-69ae-4a2f-ba12-dccc308db1d6,089ef438-dae0-4dec-b263-19232d5f9fce,e24debde-55bb-4e03-b9a8-aefb70827108,c9a98ae2-1554-4245-a7d6-f7a5f0d0fdee,DEFAULT-8,3dccb52e-f69e-4820-a42f-349e5d357d9d,3627a24b-7d7d-4465-a714-98a98415cb93,b36aaee8-d1f3-44ae-82a0-db18ac8de7d2,29426d78-ff75-4516-bd8a-0c796c2f996b,78b782f0-75ae-448a-ba2f-54b9170f3112
    [root@qradar ~]# 

     
  6. Copy the arielSearches and dashboardSearches sections from the admin user the affected user.
    grep "arielSearches.events" /store/users/admin/data.conf >> /store/users/user1/data.conf
    grep "arielSearches.flows" /store/users/admin/data.conf >> /store/users/user1/data.conf
    grep "dashboardSearches.events" /store/users/admin/data.conf >> /store/users/user1/data.conf
    grep "dashboardSearches.flows" /store/users/admin/data.conf >> /store/users/user1/data.conf
  7. Start the Tomcat service.
    systemctl start tomcat
  8. Check the result in Log Activity. If the result does not look correct, you can revert the data.conf file to the original file in Step 3, and use another user than "admin" to copy the information from.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtEAAQ","label":"Log Activity"}],"ARM Case Number":"TS006687603","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
27 April 2022

UID

ibm16562295