IBM Support

QRadar: Upgrades to V7.5.0 UP2 can reduce available SCA search threads (IJ40606)



A reported performance issue exists in QRadar 7.5.0 Upgrade Pack 2 where threads for X-Force for rules and searches might be reduced. When this issue occurs, the scaserver threads can be incorrectly reduced to 15 after the administrator installs or upgrades to QRadar 7.5.0 Upgrade Pack 2. This technical note explains the workaround for administrators affected by APAR IJ40606


The scaserver.ini has the number of SCA_THREADS reduced to 15, instead of being calculated by the number of CPUs available on the appliance.


QRadar 7.5.0 Upgrade Pack 2 (Build 20220527130137).

Resolving The Problem

Note: This issue has been fixed in 7.5.0 UP3. The following workaround is for systems still at 7.5.0 UP2 only.
  1. Use SSH to log in to the Console as the root user.
  2. Create a new file named with the command:
    touch /root/
  3. Using an editor such as vi add the following to the file:
    SERVER_CPUS=$(lscpu | grep "^CPU(s)" | sed "s/.* //")
    if [[ $SERVER_CPUS == +([0-9]) ]] 
      SCA_THREADS=$(((299 + 22*SERVER_CPUS) / 30)) 
      sed -i "/\[threads\]/{n;s/.*/$SCA_THREADS/}" $SERVER_INI
      grep -A1 "\[threads\]" $SERVER_INI
      if systemctl -q is-active scaserver
        systemctl restart scaserver
  4. Make the script executable with the command:
    chmod +x /root/
  5. Transfer the script to all managed hosts with the command:
    /opt/qradar/support/ -C -p /root/
  6. run the script on all hosts with the command (this will restart the scaserver service on all hosts):
    /opt/qradar/support/ -C "/storetmp/; rm -f /storetmp/"
  7. Wait for the command prompt to return.

    All appliances in the deployment are updated with new values. To verify the SCA server thread value is updated, administrators can SSH to an appliance and type the following command to confirm the value shows greater than 15 assigned threads:
    cat /store/dca/server.ini
    If you are unsure of any steps outlined in this technical note or need assistance with the workaround, contact QRadar Support.

Document Location


[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwszAAA","label":"Install"},{"code":"a8m0z000000cwtdAAA","label":"Upgrade"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.5.0","Type":"MASTER"}]

Document Information

Modified date:
27 September 2023