Configuring the retention period for payload indexes

By default, IBM® QRadar® sets 30 days for the data retention period of the payload index. You can search for specific values in quick filter indexes beyond 30 days by changing the default retention in QRadar.

Before you begin

Your virtual and physical appliances require a minimum of 24 GB of RAM to enable full payload indexing. However, 48 GB of RAM is suggested.

The minimum and suggested RAM values applies to all QRadar systems, such as 16xx, 17xx, or 18xx appliances, that are processing events or flows.

About this task

The retention values reflect the time spans that you are typically searching. The minimum retention period is 1 day and the maximum is 2 years.
Note: Quick Filter searches that use a time frame outside of the Payload Index Retention setting can trigger slow and resource-intensive system responses. For example, if the payload index retention is set for 1 day, and you use a time frame for the last 30 hours in the search.

Procedure

  1. On the navigation menu ( Navigation menu icon ), click Admin.
  2. In the System Configuration section, click System Settings.
  3. In the Database Settings section, select a retention time period from the Payload Index Retention list.
  4. Click Save.
  5. Close the System Settings window.
  6. On the Admin tab, click Deploy Changes.

What to do next

If you retain payload indexes longer than the default value, extra disk space is used. After you select a greater value in the Payload Index Retention field, monitor system notifications to ensure that you do not fill disk space.