IBM Support

QRadar: How to fix the "Incomplete FTS index" error

Troubleshooting


Problem

This error appears when searches are run by using a Quick Filter that is outside the retention period.

Symptom

The following errors are displayed in /var/log/qradar.error:
[WARN] Index dir/store/ariel/events/records/2022/9/9/1/lucene[22-09-09,01:00:00] is outside of retention period 604800 sec
[WARN] Unable to extract indexinfo in folder: /store/ariel/events/records/2022/9/9/1/lucene[22-09-09,01:00:00].
[ERROR] Incomplete FTS index at least for: /store/ariel/events/records/2022/9/9/1/lucene[22-09-09,01:00:00]

Cause

Quick Filter is based on Lucene search technology and the Lucene indexes are created on demand. Since the start date time of the search is outside the configured retention period, Ariel is not able to complete this task.

Resolving The Problem

The searches running close to the time the errors fired can be seen by using the following command from the QRadar console:
grep -E 'SearchExecuted.*Quick' /var/log/audit/audit.log
Once the problematic searches are identified, the administrator can change the date time of the search within the index retention period.
The retention period for Quick Filters can be checked or edited by using the next steps:
 
Notes:
  • Payload indexes retention longer than the default takes extra disk space that is used to save the information.
  • After an increase is made to the Payload Index Retention field, monitor system notifications to ensure that this configuration does not fill disk space due to long Payload Index Retention.
  • The retention values have to reflect the time spans that the users or security operators are typically searching for.
Steps:
  1. Log in to QRadar as the admin user.
  2. Go to Admin.
  3. Click System Settings:
    image-20221101115029-1
  4. Search for the Database Settings section.
  5. The attribute Payload Index Retention is the Quick Filter period limit:
    image-20221101115140-2
    The default Payload Index Retention period is 30 days. The minimum is 1 day, and the maximum is 2 years.
  6. Deploy the changes.

    Result
    Administrator can verify the current configuration for the Payload Index Retention period and decide whether this value has to be increased or if the search has to be changed. 

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSV4BL","label":"IBM QRadar"},"ARM Category":[{"code":"a8m0z000000cwt8AAA","label":"Ariel"}],"ARM Case Number":"TS010873906","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
10 November 2022

UID

ibm16832712

Page Feedback