IBM Support

QRadar: How to clean GV IDs that have No reference entries

How To


Summary

Accumulator issues are caused by searches that are not properly tuned or too many global views in the system. By default, we allow a maximum of 300 Global Views in 7.3.x and later versions.
The reason No reference entries occur is because when a GV ID is missing the references list inside its VirtualView section, or when the VirtualView is corrupted during the mapping process. At times, when you are working with accumulator-related issues, you might need to clear GV IDs with No Reference entries, this help QRadar function optimally.

IMPORTANT: Based on diagnostics, QRadar Support advises you when to clear GV IDs entries associated with No Reference in your environment. The steps are performed on the QRadar console. When these activities are done, services such as hostcontext and tomcat need to be stopped on the QRadar console. Due to service stoppage, the QRadar GUI might not be available, offense generation stops, report generation stops, and other services managed by hostcontext might stop. A maintenance window is advised to perform this activity.

Environment

You can find these No reference entries in AccumulatorMapping.YYYYMMDD.txt collected by using get_logs or by using the command /opt/qradar/support/collectGvStats.sh -M
An example of the such GV ID is as follows:

view[10164]
No references were found.

Steps

These GV IDs with No reference entries are not in use. So, you can remove these entries safely.
This command must be run on console only, which also run these commands on your manage hosts (MHs).

Perform the following steps on the console only.

1) Stop hostcontext and tomcat services

systemctl stop hostcontext
On another CLI, run the following command: 
locate wait_for_start.sh
And when you see the command with full path run the command with complete path to ensure all managed services are stopped (except ecs-ec-ingress).
/opt/qradar/upgrade/util/setup/upgrades/wait_for_start.sh

systemctl stop tomcat
On another CLI, run the following command to confirm the tomcat and httpd services are stopped.
systemctl status tomcat
systemctl status httpd
2) Use the following command (in one line).
/opt/qradar/support/all_servers.sh -V -C "/opt/qradar/bin/runjava.sh -Xmx2048m -Xms2048m -Xss2048k com.q1labs.cve.utils.GlobalViewCleanup" | tee /root/GVcleanUp_DATE.txt
The clean-up command runs on the console and then on MHs.
3) Start tomcat and hostcontext
systemctl start tomcat
On another CLI, run the following command to confirm the tomcat and httpd services are started.
systemctl status tomcat
systemctl status httpd 

systemctl start hostcontext
On another CLI, run the following command: 
locate wait_for_start.sh
And when you see the command with full path, run the command with complete path to ensure all managed services are started.
/opt/qradar/upgrade/util/setup/upgrades/wait_for_start.sh
4) Check the connection to tomcat is started.
/opt/qradar/bin/test_tomcat_connection.sh
Note: tomcat might take some time to start. After the command shows the status as connected, you can connect to the QRadar GUI, and verify whether other functions are working as expected.
5) Run the Deploy changes from the Admin tab.
6) Restart the accumulator service on console and all event processors, flow processors, and data nodes.
systemctl restart accumulator
7) To verify the GV IDs with No reference that were found are removed, review the following file collected in step 2. 
/root/GVcleanUp_DATE.txt
In addition, you can also review the technote for further troubleshooting of accumulator: QRadar: How to troubleshoot accumulator issues by using collectGvStats.sh
https://www.ibm.com/support/pages/qradar-how-troubleshoot-accumulator-issues-using-collectgvstatssh

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwstAAA","label":"Accumulator"},{"code":"a8m0z000000cwtiAAA","label":"Performance"}],"ARM Case Number":"TS009221573","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]

Document Information

Modified date:
02 November 2022

UID

ibm16619601

Page Feedback