Question & Answer
Question
You configured a new Custom Event Property for a DSM and can see it parsing in the DSM Editor's Log Activity Preview. However, you do not see the Custom Event Property in your events in Log Activity yet.
Cause
In some instances, after a new Custom Event Property is created for a Log Source type, depending on the current state of the Tomcat cache, it might need to be cleared for the event to display the new Custom Event Property in Log Activity. The cache can be cleared by restarting the Console's Web Server.
Answer
Important: When the Tomcat service restarts, the QRadar® UI is not available to all users. Administrators with strict outage policies are advised to complete the next step during a scheduled maintenance window for their organization.
To restart the console's Web Server:
- Log in to the Console as an admin user.
- Click Admin tab.
- Click 'Advanced' near the top of the UI.
- Select 'Restart Web Server'
- Click OK to confirm.
- After the Web Server restarts, check Log Activity to see whether the events are now displaying the new Custom Event Property.
Results
If the events are still not displaying the new Custom Event Property, open an IBM® Support case for further investigation.
Related Information
[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtSAAQ","label":"DSM Editor"},{"code":"a8m0z000000cwtEAAQ","label":"Log Activity"}],"ARM Case Number":"TS004078060","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]
Was this topic helpful?
Document Information
Modified date:
27 November 2020
UID
ibm16333549