IBM Support

QRadar: How to cancel searches from the API

How To


Summary

This process is specially helpful when the search is executed through the API and is not listed under the Manage Search Results page, it can be used by apps, script, or third-party tools.

Steps

Follow the next two sections to get first the search ID and then use it to cancel the search. 
Identifying the search ID from the CLI:
  1. Access the console by using the CLI.
  2. Enter the next command. It returns a list of all the searches that are currently running: 
    /opt/qradar/support/jmx.sh -p 7782 -b 'com.q1labs.ariel:application=ariel_proxy.ariel_proxy_server,type=Query server,a1=Queries*' | less -iSR
  3. From the output, identify the expensive search based on its duration and progress or by the time range. They are highlighted in yellow in the following example. In this case, there are two searches and one of them is running for one hour and thirty-four minutes with a progress of 49.6%:
    image-20220811103505-1
  4. After the search is identified, copy the search ID. In the previous screen capture, it corresponds to "6d7d0814-d35b-43dd-ab45-2956da9bbbc1" and is highlighted in yellow. It can always be found after a4= or in the Id field. To exit this section, press the q key.
Canceling the search from the API:
  1. Navigate to https://<Console IP>/api_doc and open the Interactive API for Developers.
  2. Expand the ariel folder, click searches, and then double-click {search_id}.
    image-20220810201927-2
  3. Change from the GET to POST
    image-20220811104435-2
  4. Scroll down to the Parameters section. For the search_id field, paste the search ID you copied from the command line. In the status field type CANCELED like the example:image-20220810202416-4
  5. Click the 'Try it Out!' button at the end of the page. The search is now cancelled.
  6. To confirm it, at the top of the page, change from POST to GET. Then, scroll down and paste the search ID in the search_id field. Click the 'Try it Out!' buttonit returns a response confirming that the search is cancelled:
    image-20220811110051-2
Result:
When the search is cancel by using the API, it stops running, and it passes to canceled status.

Related Information

Canceling a search

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt8AAA","label":"Ariel"},{"code":"a8m0z000000cwt3AAA","label":"QRadar Apps"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
15 August 2022

UID

ibm16611947

Page Feedback