IBM Support

QRadar: What is data rebalancing?

Question & Answer


Question

What is data rebalancing in QRadar Data Nodes?

Answer

As data nodes are added, the parent node automatically rebalances the data with the active nodes. The rebalancing process calculates a target space, which is the amount of free space in all nodes divided by the number of nodes. Consider the following example:

The administrator has an Event Processor (parent node) with one Data Node already attached, and attaches another Data Node:

com.ibm.si.ariel.dcs.databalancing.MasterTask: Node[112] has free space: 45
com.ibm.si.ariel.dcs.databalancing.MasterTask: Node[105] has free space: 45
com.ibm.si.ariel.dcs.databalancing.MasterTask: Node[108] has free space: 100
com.ibm.si.ariel.dcs.databalancing.MasterTask: Targeting free space: 63 for all nodes

With the target defined, the data is moved by one hour block at a time until the target free space is reached. Once done, data rebalance reoccurs only if another data node is added or a data node previously set to Archive mode is set to Active mode.

Administrators can check the rebalancing status by querying the PostgreSQL database as explained in the Checking the last data rebalancing status section.

Checking the last data rebalancing status

  1. Use SSH to log in to the QRadar Console as the root user.
  2. Use SSH to log in to the parent node.
  3. Check the status of the last data rebalancing by querying the PostgreSQL Database: 
    psql -U qradar -c "select * from datanode_status"
    Example output: 
     id | node_id | database | master_node_id |        status        | error_messages_json | last_rebalancing_start_time | last_rebalancing_end_time
----+---------+----------+----------------+----------------------+---------------------+-----------------------------+---------------------------
  3 |     132 | flows    |            125 | rebalancingCompleted |                     |               1686864691450 |             1686864693185
  1 |     125 | flows    |            125 | rebalancingCompleted |                     |               1686864691421 |             1686864694100
  4 |     132 | events   |            125 | rebalancingCompleted |                     |               1686864690047 |             1686864694329
  2 |     125 | events   |            125 | rebalancingCompleted |                     |               1686864692841 |             1686864695370
(4 rows)
    Note: The node_id column contains the ID of a Data Node and the master_node_id contains the ID of its parent node.
    Copy the last_rebalancing_start_time and last_rebalancing_end_time.
  4. Determine when the last rebalancing started or ended by using the date command:
    The epoch value is in milliseconds, administrator must fix the epoch value to be in seconds by removing the last 3 digits. For example, if your original epoch value is 1686864691450, then you must use 1686864691.
    Note: Replace <epoch> with the fixed epoch value. 
    date -d @<epoch>
    Command example: 
    date -d @1686864691
    Output example: 
    Thu Jun 15 18:31:31 ADT 2023
    Result
    Administrator determined the status of the last rebalancing among with when it was started. For more information about data nodes, see QRadar: About Data Nodes.
     

Related Information

QRadar: About Data Nodes

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"Hardware and Firmware","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
13 July 2023

UID

ibm16999023

Page Feedback