Question & Answer
Question
Cause
The /transient (in 7.3.x) or /store/transient (in 7.2.8) partition is the location that stores ariel cursors for searches and generated reports data.
In this article, /transient or /store/transient partitions are used interchangeably as they represent the same partition on a different QRadar version.
Do not use /tmp, /store/tmp, or /store/transient for your ISO upgrade. These directories are partitioned as part of the upgrade; you cannot use them as storage locations or as mount points for the ISO file.
The partition size and type varies based on the appliance type (Console, Event Processor, and so on.), model (newer Console model has larger storage), hardware, software installation (customer appliance) or VM, and QRadar version.
By default, the QRadar disk sentry check runs every 60 seconds and looks for high disk usage across the /transient partition. If the partition fills up above 95%, it stops the QRadar critical services.
To find out what files or directories are filling up the /transient partition, see the Troubleshooting Disk Space Problems technote:
Technote 0881013 - QRadar: Troubleshooting Disk Space Problems
Answer
Quick Links
- 1. Troubleshooting /transient space issues.
- 2. Defects around /transient partition.
- 3. Information about the sizing of /transient partition.
The following are the most commonly encountered issues that cause /transient to fill up. For more information about troubleshooting /transient space issues, see below tech docs:
This technical document details the steps in how to identify and delete large search data files that are causing the /transient partition to fill up.
Technote 21622708 - QRadar: About searches and data storage
This technical document details the information for a distributed QRadar environment on how does QRadar access this Data used by Searches, Offenses, Reports, and how it is utilized by, the Console.
The following is a list of defects encountered on the /transient partition:
The uncompressedCache folder in /store/transient partitions on managed hosts can exceed the critical disk threshold of 95% used causing services to be shutdown. This issue can occur due to large searches being performed on compressed data if the system has a corrupt .ser for its uncompressedCache reference. In this instance, the cache related to the corrupted .ser file is no longer managed.
It has been observed that the /store/transient partition does not cleanup space when required and can run out of free disk space (above 95% usage).
HA issues can be caused by HA standby managed hosts that do not correctly mount /store/transient, if the boxes have been rebuilt from the recovery partition and the /store and /store/transient were not merged.
Recommendations when upgrading QRadar:
QRadar: Software update checklist for administrators
Linux operating system partition properties for QRadar installations on your own hardware:
If you use your own appliance hardware, you can delete and re-create partitions on your Red Hat Enterprise Linux operating system rather than modify the default partitions.
Linux operating system partition properties for QRadar installations on your own system
This technote details where searching data is stored in a QRadar distributed environment.
Was this topic helpful?
Document Information
Modified date:
13 June 2023
UID
ibm10882064