IBM Support

QRadar: How to clean Global View IDs that have no references

How To


Summary

Accumulator issues are caused by searches that are not properly tuned or too many global views in the system. By default, we allow a maximum of 300 Global Views in 7.3.x and later versions.
The reason No reference entries occur is because when a GV ID is missing the references list inside its VirtualView section, or when the VirtualView is corrupted during the mapping process. At times, when you are working with accumulator-related issues, you might need to clear GV IDs with No Reference entries, this helps QRadar function optimally.

IMPORTANT: Based on diagnostics, QRadar Support advises you when to clear GV IDs entries associated with No Reference in your environment. The steps are performed on the QRadar console. When these activities are done, services such as hostcontext and tomcat need to be stopped on the QRadar console. Due to service stoppage, the QRadar GUI might not be available, offense generation stops, report generation stops, and other services that are managed by hostcontext might stop. A maintenance window is advised to perform this activity.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB77","label":"Automation Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwstAAA","label":"Accumulator"},{"code":"a8m0z000000cwtiAAA","label":"Performance"}],"ARM Case Number":"TS009221573","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]

Log InLog in to view more of this document

This document has the abstract of a technical article that is available to authorized users once you have logged on. Please use Log in button above to access the full document. After log in, if you do not have the right authorization for this document, there will be instructions on what to do next.

Document Information

Modified date:
13 September 2024

UID

ibm16619601