IBM Support

QRadar: Checking top command for process causing performance degradation

How To


Summary

How to determine what process is causing a performance issue in QRadar with top command.

Objective

Crucial for understanding performance degradation is to find out which component is affected by it. Usually, it is ecs-ec (the Collector) or ecs-ep (the Processor).

Steps

  1. To identify the process with the most used cpu resources, run top:
    top
    Example after top command:
    java_top
  2. To find details of the process in trouble, with the high CPU load, press ‘c’ while top is running.
    Example after 'c' selected:
    image-20220909134029-1
    Note: Press ‘c’ again to go back to the default.
  3. Depending on what process is affected by the high CPU load the following can be of assistance:
    Not enough system resources
    Ecs-ep and ecs-ec pipeline high CPU

Additional Information

The Linux command called top shows OS processes and their load in the operating system.
By default, top does not show the full path to the program or make a distinction between kernel-space processes and user-space processes. In QRadar, which has many of its components built in Java™, this kind of output can be visible in the command line.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtiAAA","label":"Performance"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
13 October 2022

UID

ibm16619369