Troubleshooting
Problem
Tenant user is unable to get data from Quick Searches under Log Activity tab.
Cause
The problem with the stats is that they are taken from the System Notification events generated from the console.
Diagnosing The Problem
The existing EPS or Login failure searches or dashboard joins all internal CRE or EPS stats from the deployment. But even if you split it by Event Collector or Processor, you cannot allow the domain to read the System Notification log source because it is internal.
Resolving The Problem
The best approach is to create a search grouped by domain that counts events and create a dashboard of those events to get event count per minute or EPM.
Procedure
To create a new search, perform the following steps:
- Log in to QRadar console as a tenant user.
- Navigate to the Log Activity tab.
- Click Log Activity tab.
- In the Advanced Search field, type the following AQL query:
SELECT DOMAINNAME(domainId) AS 'Domain', SUM("eventCount") as 'total' from events GROUP BY "domainId" order by 'total' desc last 1 MINUTES
Result
You can now view the EPM.
After you restrict the user role or security policy to domain only, the EPS is not visible for non-admins. Editing the user role and adding Manage Time Series under Log activity do not reveal the internal events that the EPS calculation uses.
Note: You cannot add System Notification-log source to the customer domain because of a domain conflict.
Related Information
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
30 April 2023
UID
ibm16985947