Troubleshooting
Problem
The root partition / is full, or almost full, in QRadar SIEM.
Symptom
df -h /
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/rootrhel-root 13G 11G 1.7G 87% /
Cause
- A transient partition was never created
- Customization is causing it to fill
- Someone is running an expensive command
- Expensive search is running, or is saved
Resolving The Problem
- Verify that transient partition was never created:
df -h /transientNote: If no partition is returned, then no transient partition was created. The recommended method is to reinstall for a software installation. For appliance installation, it's possible the host is an Event Collector. - Create backup:
mkdir -p /store/ibm_support/7160856/store cp -p /transient/spillover/queue/ecs-ec-ingress.ecs-ec-ingress/* /store/ibm_support/7160856/ cp -p /store/transient /store/ibm_support/7160856/store - Stop services:
systemctl stop hostcontext ecs-ec-ingress /opt/qradar/systemd/bin/manual.sh hostcontext enable - Create new transient and link it:
mkdir /store/transient2 mv /transient /store/transient2 rm /store/transient mv /store/transient2 /store/transient ln -s /store/transient /transient - Turn services back on:
/opt/qradar/systemd/bin/manual.sh hostcontext disable systemctl start hostcontext ecs-ec-ingress
Issue with root partition space is now resolved:
df -h /
Related Information
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"},{"code":"a8m0z000000cwtcAAA","label":"Hardware"},{"code":"a8m0z000000cwszAAA","label":"Install"},{"code":"a8m0z000000cwtdAAA","label":"Upgrade"}],"ARM Case Number":"TS016679891","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
22 July 2024
UID
ibm17160856