Troubleshooting
Problem
The ariel_offline_indexer utility stops unexpectedly due to not enough memory allocated for the script.
Symptom
An error is generated at the command line and is also present in /var/log/messages:
JVMDUMP039I Processing dump event "systhrow", detail "java/lang/OutOfMemoryError" at 2020/09/30 16:23:43 - please wait.
Cause
The ariel_offline_indexer uses heap memory to build indexes from events for the target period. The default value configured for the script is fairly low at only 512 MB. If the volume of events is high enough and the utility requests more than the configured maximum value for heap memory, the out-of-memory monitor process kills the utility.
Resolving The Problem
The configured maximum memory for ariel_offline_indexer is set to 512m. It is safe for all systems to increase the heap max value to 2048m.
To increase the heap max memory setting in the script from 512m to 2048m:
- Using SSH, log in to the QRadar® Console as the root user.
- Run the following command to increase the memory allocation setting in the script:
sed -i 's/-Xmx512m/-Xmx2048m/' /opt/qradar/bin/ariel_offline_indexer.sh
Note: If the out-of-memory errors persist after increasing the heap max value in the script, contact IBM Support.
Result:
The heap memory allocation is increased to 2048 and allows ariel_offline_indexer.sh to run successfully.
Document Location
Worldwide
[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt8AAA","label":"Ariel"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]
Was this topic helpful?
Document Information
Modified date:
08 October 2020
UID
ibm16339789