IBM Support

QRadar: Scheduled report displays lesser records than running same search in the log-activity tab

Question & Answer


Question

Why a scheduled report displays lesser records than running same search in the log-activity tab?

Cause

When we generate a specific report on the raw data or when we generate a scheduled report, both show lesser records on the generated report than log-activity search because of misconfiguration in report.
Example:
Following report shows only 5 records but the log-activity results have 8 records:
image-20231215133911-2
Log-activity results for same search and time frame.
image-20231215133438-3

Answer

While creating a report, the Limit Events/Logs configuration is set to 5 by default (under Additional Details for the report on the Container Details page).
As a result, the generated report displays only 5 entries or records instead of including more entries based on the applied search criteria.
image-20231206140943-2
Note -> The label "Limit Events/Logs to Top" can vary depending on the chosen chart type in the preceding window.
image-20231214185957-4image-20231215193936-2
To ensure that the generated report includes all entries based on the applied search criteria, it is necessary to adjust the "Limit Events/Logs to Top" setting to its maximum available count, as illustrated in the following screenshot.
image-20231214184335-1

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtmAAA","label":"Reports"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
15 December 2023

UID

ibm17091177