Troubleshooting
Problem
A red error bar appears when a search is run with an AQL query that uses a subquery. The bar displays the following message:
Subquery XXXXXX-XXXXX-XXXX-XXXX has incomplete results. Check the system log for details.
Symptom
When running AQL searches that include a subquery on them, the user can face an error message that states the subquery returned incomplete results:
This error means that the results are truncated. It is not an issue with the Ariel Service or an error that requires the environment to be checked. It is a default behavior when subqueries are used inside an AQL query. A subquery is a nested or inner query that is referenced by the main query, for instance:
SELECT username FROM (SELECT * FROM events WHERE username IS NOT NULL LAST 60 MINUTES)
Cause
Receiving the Subquery has incomplete results. Check the system log for details message indicates that the AQL's subquery limit has been reached.
By default, all hardware class Consoles have a 10K limit result when a subquery is present inside an AQL. When that limit is surpassed, the error message appears. However, on QRadar version 7.5.0.4 and upwards, on xx24, xx28, xx29 and xx48 hardware class Consoles the limit is raised to 100K.
Diagnosing The Problem
If you are facing this issue, first you can check the hardware class of your Console, you can do so by running the following command:
/opt/qradar/bin/myver -hwc
Output example:
# /opt/qradar/bin/myver -hwc
xx05
For instance, the Console for this test is an xx05 and it is on QRadar 7.5.0.5. Therefore, based on this information, this Console is limited to a 10K subquery limit.
Let's test this information. If you take a look at the following test search, you can see that the highlighted section about the displayed elements shows less than 10K.
Look what happens if we make the time frame of the AQL larger, thus resulting in more events. We receive the error message because we surpassed the 10K limit.
If we do the same test on an xx24, xx28, xx29, and xx48 hardware class Console on 7.5.0.5, we don't receive any errors because the limit is increased to a 100K on these hardware classes and in QRadar 7.5.0.4 and upwards.
Resolving The Problem
Make the necessary adjustments, some of the changes to retrieve less events on the search could include:
- Change the search time range to display less events.
- Apply filters on the search to have less events.
- Determine whether the use of a subquery is needed for your use case.
Related Information
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSV4BL","label":"IBM QRadar"},"ARM Category":[{"code":"a8m0z000000cwt8AAA","label":"Ariel"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
16 June 2023
UID
ibm17000819