IBM Support

QRadar: About /transient partition

Question & Answer


What is the purpose of the /transient partition in QRadar, and how can I troubleshoot issues with the /transient partition filling?


The /transient partition is the 2nd largest partition in a QRadar appliance. It is used as main directory of ariel searches, reports, and transient files such as the spillover queue.

By default, the QRadar disk sentry check runs every 60 seconds and looks for high disk usage across the /store partition. If the /store partition fills up, the QRadar disk sentry stops the QRadar core services

Upgrade from 7.2.x to 7.3.x

In QRadar 7.3.0 and older, the /transient partition did not exist on its own, and it was presented as /store/transient. Since 7.3.1, QRadar uses LVM and the logical volume /dev/mapper/storerhel-transient was designated for /transient partition, which is now a partition with a linked to /store/transient.

[root@qradar ~]# ll /store | grep transient
lrwxrwxrwx  1 nobody   nobody           11 Aug 23 23:57 transient -> /transient/

Disk allocation in /transient

QRadar allocates capacity to the /transient partition at the installation depending on how many disks are present. QRadar allocates 20% of the Console's disk and 10% on Managed Hosts for the /transient partition after the rest of partitions are created. For more information about this procedure, see: QRadar: Installing QRadar on appliances with several disks.

When there is not enough space on a single disk, the /transient partition and the link to /store/transient are not created. Then, all directories inside /store/transient default to the "/" partition causing disk space issues. To know how to identify this issue, see: QRadar: Troubleshooting disk space usage problems.

Role of /transient in High Availability Clusters.

The partition is considered in the disk calculations for a High Availability Cluster to be created. For other High Availability questions, see: QRadar: High Availability FAQ.

Failed Update Error
When a software update runs, the /transient partition is checked to ensure the disk space has enough space for the update. If the partition does not have enough space, it fails with a "patch test failed error".

 [INFO](testmode) Checking Disk Space...
[ERROR](testmode) /transient has 153417728 Kb needed and only 124856540 Kb available
[ERROR](testmode) Usage Report:

=-= DiskSpace Report for Mountpoint '/transient' =-=
=-= Available: 124856540 Kb,  Required: 153417728 KB =-=

=-= Directories over 1G on mountpoint /transient to a depth of 3: /transient =-=
Size (MB)               Directory
1376257 /transient

=-= Files on mountpoint /transient over 1G =-=
1.1T /transient/01-1tbfile
321G /transient/01-320Gfile

=-= Disk Space Report Complete for '/transient'

[ERROR](testmode) - Mountpoint: /transient has 124856540 Kb available and requires 153417728 Kb

[ERROR](testmode) Pretest had 1 failed checks for free space;
 - Mountpoint: /transient has 124856540 Kb available and requires 153417728 Kb

[ERROR](testmode) sql pretest errored, halting.- Mountpoint: /transient has 124856540 Kb available and requires 153417728 Kb

 [INFO](testmode) Set <Hostname> status to 'Patch Test Failed'
[ERROR](testmode) Patching can not continue

Troubleshooting Disk Space Issues
To determine which files or directories are filling the /transient partition and how to release space safely, follow the steps in the following articles:

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]

Document Information

Modified date:
30 September 2022