How To
Summary
How to find API searches that are effecting performance in QRadar, when high system load has been identified by using threadTop.sh
Objective
You can identify sources of high load by using the threadTop.sh script, found in /opt/qradar/support/threadTop.sh and described in more detail here: QRadar: Using ThreadTop to determine QRadar process load
In some cases, you might notice high Msecs values appearing for ariel_proxy_server on a Console or ariel_query_server on a managed host. These services provide the ability for users to search for events, and sometimes the searches can be taxing on the system. In the case of the API, it is often easy to forget which user has run a search, and what the search is.
In the threadTop.sh script, a system under high search load may return values similar to the example below. The "-p 7782" option limits threadTop.sh to port 7782, which is the port typically used by the ariel services to run searches:
/opt/qradar/support/threadTop.sh -p 7782
Server ID Msecs Name
----------------- ------ ------ --------------------------------------------------------
----------------- ------ ------ --------------------------------------------------------
7782 142 3278 qw_2:c0fc77bd-1f0e-43da-b6e4-400fc84273ec <---ID of search
7782 118 2602 qw_4:e9028479-3114-44d7-af84-1b4c92a3fdef
7782 234 2432 qw_3:d9073218-29fb-4b27-bdfc-cf31a3f5e914
7782 162 2300 qw_1:dccd6fcf-e3ac-418f-b3b8-c6a19a22a78e
In the previous example, the 4 query writer (qw_*) threads are blocked up with 4 different searches. The search's ID is in the Name column.
Steps
One way of checking the search's status, query, duration, and other details is to use the QRadar Console API.
- Using threadTop.sh, get the GUID of search that is running. For example: qw_2: c0fc77bd-1f0e-43da-b6e4-400fc84273ec
- Access the QRadar API by going to https://<QRadar hostname>/api_doc
- Using the panel on the left, navigate to ariel > searches > search_id.
- Scroll down to the "Parameters" section and locate the Parameter "search_id".
- Enter the ID of the search into the search_id Value box. In this example: c0fc77bd-1f0e-43da-b6e4-400fc84273ec
- Click the "Try it Out!" button at the bottom of the page.
Result
The page will show a set of new boxes, including information of your search. In this example the Response Body has the following information:
cursor_id | c0fc77bd-1f0e-43da-b6e4-400fc84273ec |
status | EXECUTE |
compressed_data_file_count | 0 |
compressed_data_total_size | 0 |
data_file_count | 82540 |
data_total_size | 125953333700 |
index_file_count | 4312 |
index_total_size | 6195535220 |
processed_record_count | 2 |
desired_retention_time_msec | 86400000 |
progress | 12 |
progress_details | [] |
query_execution_time | 4500073 |
query_string | SELECT * FROM EVENTS WHERE INOFFENSE (10020) START '2020-01-01 01:00' |
record_count | 2 |
size_on_disk | 0 |
save_results | false |
completed |
false
|
Note the query_string in the previous table, this is the query of the search running. There are other useful values here, such as the query_execution_time (how long has it been running for) and progress (rough estimate of progress, in percentage).
Document Location
Worldwide
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.3.x","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
14 December 2020
UID
ibm13529461