The Offenses Over Time graphs under the System Monitoring dashboard are blank. There is no data displayed in the Offense Over Time dashboard graph.
The Offense Over Time dashboard widget might be blank if the relevant data is not being extracted at the Device Parsing stage of the event pipeline. When the RegexMonitor thread detects that the regex pattern extraction for any Custom Event Property (CEP) is running for over two seconds on one event, the CEP is disabled.
In the Offense Over Time dashboard, click View in Log Activity to open a log activity search for the relevant event logs.
If the search results table shows no values for the Active Offense count or Dormant Offense Count fields, it is a good indication that the relevant values are not being extracted from the events correctly.
Check the Custom Event Properties configuration to confirm that the blank Offense Over Time graph is caused by disabled properties:
1. In the QRadar Console GUI, navigate to the Admin -> Data Sources -> Custom Event Properties
2. Filter with the string 'offense' in the Search Properties box.
3. Check to see whether any of the following CEPs are disabled:
- Active Offense Count
- Dormant Offense Count
If the CEPs related to the dashboard are disabled, enable the CEPs.
Default CEPs are disabled by the RegexMonitor when there is a performance degradation problem at device parsing. The performance degradation issue needs to be investigated further.
Review recent changes to the deployment that affect the performance characteristics of the QRadar managed host where the error message is detected. Such changes include new log sources, new CEPs, changes to existing CEPs, changes to event composition or volume, and others.
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtIAAQ","label":"Dashboard"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
