How To
Summary
Administrators auditing or experiencing storage issues might want to confirm the number of hourly ariel files in the store directory. If retention buckets are configured, the directory can contain more than 60 files. This technical note assists users with commands they can use to view an overview of the directory and visualize retention bucket data.
Objective
Confirm the number of files grouped by retention bucket for a specific date
To review the number of files in a retention bucket in /store/ariel by date, complete the following procedure.
- Use SSH to log in to the QRadar Console as the root user.
- Open an SSH session to the appliance storing the event data, such as an Event Processor or Data Node.
- To view the number of files grouped by date in a specific retention bucket, type:
ls /store/ariel/events/payloads/YYYY/MM/DD/HH | grep -oP '~\d+$' | sort | uniq -c
Confirm the number of files grouped by retention bucket for a full month
To review the number of files in a retention bucket in /store/ariel by month, complete the following procedure.
- Use SSH to log in to the QRadar Console as the root user.
- Open an SSH session to the appliance storing the event data, such as an Event Processor or Data Node.
- To view the number of files grouped by date in a specific retention bucket, type:
ls /store/ariel/events/payloads/YYYY/MM/*/* | grep -oP '~\d+$' | sort | uniq -c
Additional Information
Related Information
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt8AAA","label":"Ariel"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
31 March 2022
UID
ibm16564327