Troubleshooting
Problem
This technical note describes how to run large saved searches or reports when you get the error message: 'Accumulator out of memory' or 'Accumulator falling behind'.
Symptom
When this issue occurs, QRadar will generate one of the following error messages:
- Accumulator out of memory (Dashboard notification)
- Accumulator falling behind (System Notification)
- The accumulator dropped records (System Notification)
Cause
These message can be caused by using too many columns, using too many grouping by categories or using columns that use a lot of resources like start time or source ports. Columns like this produce to many unique values.
Diagnosing The Problem
If the error messages are infrequent, then the messages can be ignored. As
Resolving The Problem
If you notice these error messages when you run a search or report, you might attempt the following:
- Reduce the number of columns in your search.
- Reduce the number of fields in the search that generate unique values such as Source Port or Start time.
Procedure
- Log in to the QRadar Console.
- Click the Log Activity tab.
- From the Columns list, select a field, such as Start Time or Source Port.
- Click the < icon to remove a value.
- To save the search results use either of the two examples below:
- Either click the Save Results check box, add a Search Name and click Search.
- Click Search and the from the Navigation bar click Save Criteria.
- Click OK.
Where do you find more information?
Related Information
Was this topic helpful?
Document Information
Modified date:
16 June 2018
UID
swg21967796