IBM Support

QRadar: Using the command

Question & Answer


What is the utility in /opt/qradar/support and how do administrators use it?


Warning: Using as a file manipulation tool can be destructive and could have consequential results. Use extra caution you use this tool for file manipulation. When in doubt, contact Customer Support for guidance.

The command is a powerful tool that can issue commands to all QRadar appliances within your deployment.
  • To display all help options for the script, enter:
    /opt/qradar/support/ -h
  • To move a file to the /storetmp on all appliances in the deployment, enter:
    /opt/qradar/support/ -p <file>
    With the -r option, you can choose an alternative remote directory.
    /opt/qradar/support/ -p <file> -r <remote_directory>
    NOTE: The -p option provides a file check for disk space. If the available space is over 85% on a Console or 95% on a Managed Host, an error is returned. If disk space is unavailable, the copy function is halted before the file transfer begins. A file cannot be copied to a specific host due to space issues, use scp to transfer the file to any hosts where provides an error message.
  • To copy a remote file from all appliances, enter the following command. This option can be used for getting copies of files or logs from all appliances.
    /opt/qradar/support/ -g 
  • To check disk space and redirect the output to a file called DiskSpace.txt, enter:
    /opt/qradar/support/ -C "df -h" > DiskSpace.txt
    Example DiskSpace.txt:
    	x.x.x.x ->
    	Appliance Type: 3100 Product Version:
    	13:41:07 up 2:36, 1 user, load average: 7.01, 6.98, 6.44
    	Filesystem    Size   Used   Avail  Use%   Mounted on
    	/dev/sda7     20G    16G    3.2G   83%    /
    	tmpfs         31G    0      31G    0%     /dev/shm
    	/dev/sda1     93M    47M    42M    54%    /boot
    	/dev/sda8     145G   20G    126G   14%    /store
    	/dev/sda6     9.7G   1.5G   7.8G   16%    /store/tmp
    	/dev/sda9     38G    36M    38G    1%     /store/transient
    	/dev/sda5     9.8G   1.3G   8.0G   14%    /var/log
    	/dev/sda3     6.0G   3.5G   2.2G   62%    /recovery
  • To locate a specific string within the /var/log/qradar.log file on all QRadar appliances, a command like the following can be used. In this example, we are searching for the word deploy:
    /opt/qradar/support/ -C 'grep -i "deploy" /var/log/qradar.log | tail -n 10'
    This command will provide the last 10 entries in the /var/log/qradar.log file, on all appliances, displaying logged deployed changes.


[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Version(s)"}]

Document Information

Modified date:
14 November 2022