Question & Answer
Question
Event/flow data can sometimes be copied from a source event/flow processor to a target processor. When the data is copied over, can we use the target processor in the search filter to search through that data?
Answer
For data that is copied from a source event/flow processor to a target processor, the target processor cannot be used as a search parameter when searching through the copied data. This behavior can be attributed to these factors:
- When events are written on the Ariel database in the source processor, they are uniquely tagged with that particular processor.
- When the data is copied from the source processor to the target processor, the events are still associated with the source processor tag.
- If you use the target Event Processor in the search filter when you search through the copied data, you do not get any results because the data is tagged with the source processor. Copying data over to another Event Processor does not change the original processor tagging.
For example, if you have an environment with the following hosts:
- Console
- Event Processor A
- Event Processor B
If Event Processor B (source) is being decommissioned but you still need to be able to search through the data that exists on that processor, you can copy the data to Event Processor A (target). After copying the data to Event Processor A, when you run the search on that data, you cannot filter it on Event Processor A because the data is still tagged with Event Processor B (where it originally resided).
If you need to search through the copied data, other parameters like payload, log source, domain, etc. can be used. The parameters that can be used in the search, depend on whether the data was copied:
- Between two processors of the same deployment
OR - Between two processors of different deployments
If the data is copied across different deployments, parameters like log source and domain that are unique to a deployment, cannot be used in the search. Under that circumstance, it is best to use time based parameters or payload to filter the search results.
[{"Type":"SW","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt8AAA","label":"Ariel"}],"ARM Case Number":"TS003627204","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Version(s)"}]
Was this topic helpful?
Document Information
Modified date:
25 May 2021
UID
ibm16455571