IBM Support

QRadar: Why do some search results have Never in the Expires On column

Question & Answer


Question

Under Log Activity > Manage Search Results, why do some searches have the Expires On column set to Never but some searches have timestamps in that column?
image 6596

Answer

By default QRadar® saves search results for all searches that are run by users. These search results can be transient or can be saved permanently by end users. Most searches run in the Log Activity tab have transient search results unless the user explicitly saves them.
The duration for which the transient search results are retained, depends on the System Settings > Ariel Database Settings > Search Results Retention Period setting. By default the search results are retained for 24 hours from the time the search is run.
image 6594
QRadar has an option for users to permanently save search results. This option is available when a new search is created from Log Activity > New Search. The Save Results option is at the end of that dialog past the Search Parameters section:
image 6595
Users can also save search results using the Save Results option at the top of the Log Activity section:
image 6630
IMPORTANT: Saved search results are not subject to the Search Results Retention Period setting and are retained indefinitely. These results also appear in the Manage Search Results page but they have the Expires On column set to Never because the user instructed QRadar to retain the search results.
image 6598
NOTE: All search results are saved as files under the /transient directory. Saved search results are set to never expire and are retained until they are explicitly deleted from the Manage Search Results section. They have the potential to fill up the /transient partition especially if they generate a large amount of data or if there are many such results. Administrators are advised to monitor notifications regarding disk space usage on the /transient directory and delete unwanted search results in Log Activity > Manage Search Results. For another method to manage high disk usage situations for the /transient directory, refer to this article.

[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt8AAA","label":"Ariel"},{"code":"a8m0z000000cwtEAAQ","label":"Log Activity"}],"ARM Case Number":"TS004216359","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Version(s)"}]

Document Information

Modified date:
22 October 2020

UID

ibm16347574

Page Feedback