IBM Support

QRadar: Checking top command for process causing performance degradation

How To


How to determine what process is causing a performance issue in QRadar with top command.


Crucial for understanding performance degradation is to find out which component is affected by it. Usually, it is ecs-ec (the Collector) or ecs-ep (the Processor).


  1. To identify the process with the most used cpu resources, run top:
    Example after top command:
  2. To find details of the process in trouble, with the high CPU load, press ‘c’ while top is running.
    Example after 'c' selected:
    Note: Press ‘c’ again to go back to the default.
  3. Depending on what process is affected by the high CPU load the following can be of assistance:
    Using ThreadTop to determine QRadar process load
    Not enough system resources
    Ecs-ep and ecs-ec pipeline high CPU

Additional Information

The Linux command called top shows OS processes and their load in the operating system.
By default, top does not show the full path to the program or make a distinction between kernel-space processes and user-space processes. In QRadar, which has many of its components built in Java™, this kind of output can be visible in the command line.

Document Location


[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtiAAA","label":"Performance"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
01 February 2023