Troubleshooting
Problem
This article gives a brief explanation on the limitations of exporting data from the Log Activity tab in QRadar, and provides suggestions on best practices to avoid a timeout during the data export.
Diagnosing The Problem
Events can be exported from the GUI by going to the Log Activity tab where a search is entered or a saved search is selected to pull the data.
There are two formats available to export data from the Action menu in the Log Activity tab:
- Actions: Export to XML
- Actions: Export to CSV
Resolving The Problem
The format chosen does not significantly impact the time it takes to export results, however there are others factors to be taken into consideration.
Factors that increase the time to export events:
- The Amount of Columns:
After the format is chosen between XML or CSV, users need to decide to export the visible columns or all columns.
This decision impacts significantly the amount of time it takes to complete the export, visible columns exports only the columns you see in the Log Activity that is why this option takes less time to complete. - Number of Results:
The number of results exported (events) increases the time. If many results are combined with the option for all columns, the export takes a long time to complete. - Time Range:
It is also important to use specific timeframes, so the export does not contain unnecessary data. - System Load:
It needs to be considered, especially because exports are handled one at a time by a single thread. That means that if the system is loaded and export start to be queued, there are not many resources designated to the export process, the overall performance of the system decreases.
"There was a problem completing your export" error:
This error means that the export process timed out, so what can be done? Apart from the suggestions given so far, the user can consider exporting the data through the QRadar API. This option is much faster than performing the export through the UI:
Finally, something to take into consideration also is that the performance of the data export changes from system to system because every environment is different. A good number to start with when a user is exporting data is 10.000 events. The user can choose between the visible columns and all columns options with a limit of 10.000 events to monitor the time it takes to complete the export. Based on the result they can start incrementing the number depending on their needs.
Related Information
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt0AAA","label":"Log Source"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
15 August 2022
UID
ibm16590289