Question & Answer
Question
What is dropped a templateless or unmarried flow warning notification?
Cause
A template might be missing and hence the data flow is being dropped. The notification for "templateless data" or "unmarried data" can be due to the following reasons:
- UDP packet loss to QFlow
- Packet loss on the input queue of QFlow
- QFlow restarted recently and the exporter did not periodically resent the template
Answer
The warning alert occurs when qflow (flow collector or flow processor) receives flows that do not have template or incomplete packets from the external flow sources. As the warning message explains, the flows are stored in cache, waiting for a template match and after the cache is full, qflow starts dropping the unmarried or templateless flows. For deployment the processing flows, you might receive the following warning notification message:
In 7.5 UP4 and later,
X.X.X [26187] qflow: [WARNING] [NOT:0400000001] [Interval: 1679343300]
Message issued 921 times; first instance
'Dropped a templateless data flow exceeding the templateless data cache for a
specific template key size limit from external flow sources'
Before 7.5 UP4,
X.X.X [26187] qflow: [WARNING] [NOT:0400000001] [Interval: 1679343300]
Message issued 921 times; first instance
'Dropped unmarried data flow exceeding the unmarried data cache for a specific
template key size limit from external flow sources'
Note: The error is similar in all QRadar versions, but the text differs slightly. In 7.5 UP4 and later, data flow is referred as templateless and before 7.5 UP4, data flow is referred as unmarried.
The warning notification feature is created for awareness about the reason why some flows are not processed. As the the notification usually occurs during a "Deploy Full Configuration", users who find that the notification a nuisance can move the QID to a new rule and enable a rule response limiter for Dropped Flow Traffic - QID 38750183. It is not recommended that users delete QID 38750183 as the event can serve as an important warning to flow data loss. As a best practice, administrators can move the QID to a new rule and tune the rule to add a response limiter or search to determine of a Deploy Full Configuration (QID 28250147) occurred during the same time frame when a Deploy Full Configuration started. Whenever possible, use "Deploy Changes" to minimize flow data disruption and avoid restarting services that can cause the Dropped Flow Traffic system notification.
The user interface informs the administrator as to what type of deploy is required. When the user interface informs you to complete a "Deploy Full Configuration
", you must click Advanced > Deploy Full Configuration to successfully apply a change. If your organization has strict rules around data and service restarts, see QRadar: Impact of Deploy Full Configuration on events, flows, and offenses.
", you must click Advanced > Deploy Full Configuration to successfully apply a change. If your organization has strict rules around data and service restarts, see QRadar: Impact of Deploy Full Configuration on events, flows, and offenses.
Related Information
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
21 September 2023
UID
ibm16983825