IBM Support

QRadar: Out-of-memory errors when running ariel_offline_indexer



The ariel_offline_indexer utility stops unexpectedly due to not enough memory allocated for the script.


An error is generated at the command line and is also present in /var/log/messages:
JVMDUMP039I Processing dump event "systhrow", detail "java/lang/OutOfMemoryError" at 2020/09/30 16:23:43 - please wait.


The ariel_offline_indexer uses heap memory to build indexes from events for the target period. The default value configured for the script is fairly low at only 512 MB. If the volume of events is high enough and the utility requests more than the configured maximum value for heap memory, the out-of-memory monitor process kills the utility.

Resolving The Problem

The configured maximum memory for ariel_offline_indexer is set to 512m.  It is safe for all systems to increase the heap max value to 2048m.

To increase the heap max memory setting in the script from 512m to 2048m:

  1. Using SSH, log in to the QRadar® Console as the root user.
  2. Run the following command to increase the memory allocation setting in the script:
sed -i 's/-Xmx512m/-Xmx2048m/' /opt/qradar/bin/
Note: If the out-of-memory errors persist after increasing the heap max value in the script, contact IBM Support.
The heap memory allocation is increased to 2048 and allows to run successfully.

Document Location


[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt8AAA","label":"Ariel"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]

Document Information

Modified date:
08 October 2020