IBM Support

QRadar: How to troubleshoot Ariel data export

How To


Summary

This article contains information like where to find the AQL query for a search in Log Activity or to find if the data exports initiated, is running or got stuck due to lack of space.

Steps

How to find the AQL query for a search in Log Activity

  1. Log in to the QRadar user interface.
  2. Go to Log Activity.
  3. Load the saved search.
  4. Click Search, then Edit Search:
    image-20221118173807-1
  5. Click Show AQL, a new window is displayed, that windows contains the AQL version of the search:
    image-20221118182600-1

    Result
    Administrators get the AQL search version of the Log Activity search.

How to know whether the GUI export initiates in the background

  1. SSH into the QRadar console.
  2. Run the following command: 
    grep "Initiating EventViewer" /var/log/qradar.log
    Output example: 
    [INFO] Initiating EventViewer data export requested by admin, job is assigned id <job id>

    Result
    The administrator confirms the export initiation with the Initiating EventViewer data export requested by admin log.

How to know whether the export is completed

  1. SSH into the QRadar console.
  2. Run the following command: 
    grep "user admin is complete" /var/log/qradar.log
    Output example: 
    [INFO] Export job <job id> for user admin is complete

    Result
    Admin confirms when the data export is complete.

How to know whether the export is running in the back end

  1. SSH into the QRadar console.
  2. Run the following command: 
    grep "Backgrounding export job" /var/log/qradar.log
    Output example: 
    [INFO] Backgrounding export job 5ba02cf2-309e-1234-1234-1532dc8772e4 for user <user>

    Result
    The administrator confirms that the search is running in the background.

How to know whether the export is getting stuck due to lack of space

The file is created in /store/tmp/. Check the space of the partition /store/tmp/. If this partition is higher 85%, the export is not completed and is interrupted.

Use the following steps to check the available space for /store/tmp/:

  1. SSH into the QRadar console.
  2. Run the following command: 
    df -h /store/tmp
    Output example: 
    # df -h /store/tmp
Filesystem                     Size  Used Avail Use% Mounted on
/dev/mapper/rootrhel-storetmp   15G   37M   15G   1% /storetmp
    If Use% is higher than 85%, then the export fails due to lack of disk space.

    Result
    Administrator confirms enough space in /store/tmp/ to complete the export. If disk space is not enough, have more available disk space.

    For more information about disk space, check the next link:
    Disk Space 101

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"TS009235669","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]

Document Information

Modified date:
21 November 2022

UID

ibm16834034

Page Feedback