IBM Support

QRadar: How does event retention works when we set it to more than a year but defining it as number of months?

Question & Answer


Question

Why event retention is not working as expected when set to more than year but expressed in months as Unit?

Answer

There is rounding off involved in converting number of months to years, when setting event retention in number of months greater than 12.
For example, Let us consider a case where we want to retain the events for 13 months and select 13 months while configuring Event Retention bucket.
Once we save it, GUI shows 1.1 years instead of 13 months due to conversion and rounding off.
image-20230107104052-1
QRadar converts number of months to years. In this case, 13 months = 1.08 years and then rounds off to 1.1 years. Hence, we see 1.1 years on the GUI.
image-20230107104242-2
But the actual retention for this bucket is rightly for 1.08 years = 13 months = 395.4 days.
It is different from the other scenario, where we manually set the Event Retention period to be 1.1 years and save the retention bucket.
image-20230107104611-3
Retention bucket example:
image-20230223154804-2
In this case, system retains the events for 1.1 years = 13.2 months = 401.5 days.
You can verify this by opening the bucket and change the displayed time unit to months. It shows 13.2 months as equivalent value to 1.1 years.
image-20230107104905-5

We can see here that there is a subtle difference in retention period when setting 13 months compared to setting 1.1 years, though in both cases GUI shows 1.1 years. When we set it to 1.1 years, it retains for 13.2 months that is, about 6 extra days in example (401.5-395.4 = 6 days approximately).

If we search the event on 09-March-2023, we can see events from 10-Feb-2022 when event retention is set as 13 months, and for retention set as 1.1 years we can see events from 4-Feb-2022.

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
20 March 2023

UID

ibm16853559