IBM Support

QRadar: How to reduce the volume of QRadar Health Metric Events

How To


Summary

QRadar generates events by using the Health Metric Log Source that provides insight into the System Health and Operation of the deployment. These events are internal and credited back to the licensed EPS threshold, however the volume of these events can still have an impact on Pipeline Performance. For that reason reducing the Polling Interval of these metrics might be necessary.

Objective

Reduce the polling interval of System Health Metrics to reduce impact on Event Pipeline Performance.

Environment

QRadar 7.4.x and later.

Steps

1. ssh in to the QRadar Environment
2. To check the current value of Health Metric intervals run the following command on the Command Line Interface (CLI) of the host in question:
psql -U qradar -c "select id,metric_id,time_resolution_millis from metric_meta_data;"

Partial example output as follows:

psql -U qradar -c "select id,metric_id,time_resolution_millis from metric_meta_data;"
 id  |                   metric_id                    | time_resolution_millis 
-----+------------------------------------------------+------------------------
135 | CollectionCount                                |                 60000
 136 | CollectionCountCopy                            |                60000
 137 | CollectionTime                                 |                 5000
 138 | CollectionTimeCopy                             |                 5000
 139 | LastCollectionStartTime                        |                 5000

3. Back up the metric_meta_data table

pg_dump -U qradar -t metric_meta_data -f  /tmp/metric_meta_data.sql

4. Using the example from step 2, if you notice that the current configuration contains values that are set to 5000 ms, they can be changed to 60000 ms, as follows:

psql -U qradar -c "update metric_meta_data set time_resolution_millis=60000 where time_resolution_millis=5000;"
These values can be adjusted in accordance with business requirements. If further assistance is required, reach out to QRadar Support.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSV4BL","label":"IBM QRadar"},"ARM Category":[{"code":"a8m0z000000cwtiAAA","label":"Performance"}],"ARM Case Number":"TS006494351","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
20 December 2022

UID

ibm16848239

Page Feedback