Security Technology Alliance Program User Group

Security Technology Alliance Program User Group

This online group is intended for new and existing IBM Security Technology Partners who would like to keep up to date with the latest advice and best practices for IBM Security integration.

 View Only

Enhanced Partial Search Results Visibility

By Pranav Hiswankar posted Mon March 30, 2026 08:42 AM

  

Introduction


When analysts run long or complex searches, waiting for results can slow down the investigation process. To improve visibility during active searches, IBM QRadar now displays up to 1,000 partial search results while a search is still in progress, a significant increase from the previous limit of 40.

What Changed

Previously, QRadar displayed only 40 partial results while a search was in progress. This provided very limited visibility into the data being returned during long-running or complex searches.

With this enhancement, QRadar now shows up to 1,000 partial results during an active search.

This larger result set allows analysts to review a more meaningful sample of data earlier in the investigation process and make decisions sooner.

Why It Matters

During security investigations, analysts often run searches across large volumes of event or log data to identify suspicious activity, validate indicators, or trace incident timelines.

When only a small number of interim results are visible, it can be difficult to determine whether the search is returning the right data until the query finishes. That can slow down investigations and delay adjustments to the search logic.

By increasing partial result visibility, QRadar allows analysts to begin assessing search quality much earlier and take action without waiting for full completion.

Example Use Case

For example, an analyst is searching for the event “User login” in QRadar during an investigation.

Previously, while the search was still running, QRadar would display only 40 partial results. This made it difficult to quickly determine whether the search was returning the expected events or whether the analyst needed to refine the query.


With this enhancement, QRadar can now display up to 1,000 partial results during the active search. This gives analysts a much broader view of the matching SSH login failure events earlier in the process, helping them identify patterns, validate the search faster, and continue the investigation more efficiently.

Thank you, Ashish Kothekar(ashish.kothekar@in.ibm.com), for taking the time to review the article.
A special thanks to Darshan Donni (dardonn1@in.ibm.com) for approving the article. 

0 comments
11 views

Permalink

https://community.ibm.com/community/user/blogs/pranav-hiswankar/2026/03/30/enhanced-partial-search-results-visibility