IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Expired Entry from the reference data is not getting deleted

    Posted Thu July 18, 2024 05:41 AM

    Hi

    We are facing issue with the reference map of set.

    The expired elements entry from the reference data is not getting deleted.

    Please help us



    ------------------------------
    Aby Francis
    ------------------------------


  • 2.  RE: Expired Entry from the reference data is not getting deleted

    Posted Thu July 18, 2024 02:02 PM
    Edited by Jonathan Pechta Thu July 18, 2024 11:09 PM

    There is a known issue that allows users to create reference maps without related keys. This leads to issues where the API or the system attempts to delete the data, but cannot as the reference key is null. I don't think that is your issue, but one good check to do is to confirm if the "Time to Live = 0s" in the user interface. Data at 0 seconds should be removed from the Reference data UI when you refresh or open and close the UI screen. If you see data that is at 0 seconds in the UI, then something is going on and we might need to investigate. 

    I would install the Reference Data Management app and see if there is a key in the UI. If you get an error, such as "Map of sets <Name of your set> does not contain key [key]". then this is the root cause. 

    There also might be an issue where the reference map of sets was associated to a domain which has been removed or no longer accessible for some reason that can cause what you are seeing as well. 

    I think you likely need to open a support case on both of the posts you created so we can investigate. As it is very hard to troubleshoot without error messages or version information. 

    As a temporary workaround, assuming that this is not QRadar on Cloud and an on-premise QRadar, you could use the CLI and try to manually delete a value. For example, /opt/qradar/bin/ReferenceDataUtil.sh delete "ReferenceSetName" "value"

    If you have a value to delete, you could try this or see if it generates an error. Optionally, as mentioned open a support case so we can examine this issue in more detail. I would try to delete a value, then collect logs from the Console so we can see what errors are displayed. 



    ------------------------------
    Jonathan Pechta
    IBM Security - Community of Practice Lead
    jonathan.pechta1@ibm.com
    ------------------------------

    Original Message


  • 3.  RE: Expired Entry from the reference data is not getting deleted

    Posted Fri July 19, 2024 05:25 AM

    Hello Jonathan,

    IBM support has already provided the below script to delete the expired reference set. However, this is a temporary solution and it is not feasible to perform this regularly. We kindly request you to provide a permanent fix for this issue.

    for i in {1..10}; do echo "$i runs"; ./ReferenceDataV3.sh; sleep 2; done



    ------------------------------
    Aby Francis
    ------------------------------

    Original Message