IBM Support

QRadar: Quick searches for tenants not working



Tenant user is unable to get data from Quick Searches under Log Activity tab.


The problem with the stats is that they are taken from the System Notification events generated from the console. 

Diagnosing The Problem

The existing EPS or Login failure searches or dashboard joins all internal CRE or EPS stats from the deployment. But even if you split it by Event Collector or Processor, you cannot allow the domain to read the System Notification log source because it is internal.

Resolving The Problem

The best approach is to create a search grouped by domain that counts events and create a dashboard of those events to get event count per minute or EPM.


To create a new search, perform the following steps:

  1. Log in to QRadar console as a tenant user.
  2. Navigate to the Log Activity tab.
  3. Click Log Activity tab.
  4. In the Advanced Search field, type the following AQL query:
    SELECT DOMAINNAME(domainId) AS 'Domain', SUM("eventCount") as 'total' from 
    events GROUP BY "domainId" order by 'total' desc last 1 MINUTES

    aql screen

You can now view the EPM.
After you restrict the user role or security policy to domain only, the EPS is not visible for non-admins. Editing the user role and adding Manage Time Series under Log activity do not reveal the internal events that the EPS calculation uses.
Note: You cannot add System Notification-log source to the customer domain because of a domain conflict.

Document Location


[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
30 April 2023