IBM Support

QRadar: Using an event/flow processor as a filter when searching data that was copied from another event/flow processor

Question & Answer


Question

Event/flow data can sometimes be copied from a source event/flow processor to a target processor. When the data is copied over, can we use the target processor in the search filter to search through that data?

Answer

For data that is copied from a source event/flow processor to a target processor, the target processor cannot be used as a search parameter when searching through the copied data. This behavior can be attributed to these factors:
 
  1. When events are written on the Ariel database in the source processor, they are uniquely tagged with that particular processor.
  2. When the data is copied from the source processor to the target processor, the events are still associated with the source processor tag.
  3. If you use the target Event Processor in the search filter when you search through the copied data, you do not get any results because the data is tagged with the source processor. Copying data over to another Event Processor does not change the original processor tagging.
For example, if you have an environment with the following hosts:
  • Console
  • Event Processor A
  • Event Processor B
If Event Processor B (source) is being decommissioned but you still need to be able to search through the data that exists on that processor, you can copy the data to Event Processor A (target). After copying the data to Event Processor A, when you run the search on that data, you cannot filter it on Event Processor A because the data is still tagged with Event Processor B (where it originally resided).

 
If you need to search through the copied data, other parameters like payload, log source, domain, etc. can be used. The parameters that can be used in the search, depend on whether the data was copied:
  • Between two processors of the same deployment
    OR
  • Between two processors of different deployments
If the data is copied across different deployments, parameters like log source and domain that are unique to a deployment, cannot be used in the search. Under that circumstance, it is best to use time based parameters or payload to filter the search results.

[{"Type":"SW","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt8AAA","label":"Ariel"}],"ARM Case Number":"TS003627204","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Version(s)"}]

Document Information

Modified date:
25 May 2021

UID

ibm16455571