IBM Support

QRadar: Resolving high disk usage problems for /transient or /store/transient partition

Question & Answer


Question

What troubleshooting steps can be used to help resolve high disk usage situations on the /transient partition?

Cause

The /transient (in 7.3.x) or /store/transient (in 7.2.8) partition is the location that stores ariel cursors for searches and generated reports data.

In this article, /transient or /store/transient partitions are used interchangeably as they represent the same partition on a different QRadar version.  

Do not use /tmp/store/tmp, or /store/transient for your ISO upgrade. These directories are partitioned as part of the upgrade; you cannot use them as storage locations or as mount points for the ISO file.

The partition size and type varies based on the appliance type (Console, Event Processor, etc.), model (newer Console model has larger storage), hardware, software installation (customer appliance) or VM, and QRadar version.

By default, the QRadar disk sentry check runs every 60 seconds and looks for high disk usage across the /transient partition. If the partition fills up above 95%, it will stop the QRadar critical services. 

To find out what files or directories are filling up the /transient partition, see the Troubleshooting Disk Space Problems technote: 

   

Answer

Quick Links

     

1. Troubleshooting /transient space issues

These are the most commonly encountered issues that cause /transient to fill out. For specific information about troubleshooting /transient space issues, see below tech docs:

This technical document details the steps in how to identify and delete large search data files that are causing the /transient partition to fill out.


This technical document details the information for a distributed QRadar environment on how does QRadar access this Data used by Searches, Offenses, Reports, and how is this utilized by, the Console.

   

2. Defects around the /transient partition

This is a summary list of defects encountered on the /transient partition:



This is caused by HA standby managed hosts that do not correctly mount /store/transient if the boxes have been rebuilt from the recovery partition and the /store and /store/transient were not merged.

    

3. General Information about the sizing of /transient partition

Partition requirements and recommendations when upgrading:

During the upgrade process, partition requirements and recommendations are generated and stored in the /root/partition_instructions.txt file. This file is deleted during QRadar® setup on the new operating system. If you choose not to use the partitions recommendations, make sure that you meet these partition requirements.

Note: Once on the IBM Knowledge Center, you can change the version from the drop-down for 7.2.8/7.3.0/7.3.2


Linux operating system partition properties for QRadar installations on your own hardware:

If you use your own appliance hardware, you can delete and re-create partitions on your Red Hat Enterprise Linux operating system rather than modify the default partitions.

Note:  Once on the IBM Knowledge Center, you can change the version from the drop-down for 7.2.8/7.3.0/7.3.1


  

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
07 January 2021

UID

ibm10882064