IBM QRadar

This message is generated when a search cannot locate the reference data ID. The Error, "qradar unable to load reference set with id:nnnn" means that a search is trying to reference a value that does not exist. Here is an example: 

Mar 25 13:21:54 ::ffff:IPADDRESS [tomcat] [ArielQueryManager] com.q1labs.core.types.networkevent.ReferenceSetPredicate: [WARN] [NOT:0000004000][IPADDRESS/- -] [-/- -]Unable to load reference set with id:100

This could be due to a search that needs to be updated as the reference set was deleted and recreated or changed in some way. This could also be a legitimate error message where the search/accumulator cannot find a reference to an ID that is still part of the search. It might also potentially be a permissions issue, but support will need to review why this issue is occurring. 

Someone will need to determine what service is missing the ID to track back if it is in a search (ariel_query), a graphing component (accumulator/customviewparams), or a rule (custom_rule) that needs to be updated. 

Where nnn is the ID in the error logs that is being reported. 

select * from custom_rule where rule_data like '%getReferenceSets%nnn%'
select * from customviewparams where queryparams like '%INRS%nnn%'
select * from ariel_query_handle where query_handle like '%INRS%nnn%'

What to do 
If you haven't done so, you should probably start by seeing if you can identify what ID is being called. Or, if you are unsure of how to proceed here, get QRadar Support involved and we'll review your system to see what is causing this issue. There is something in either a graph, rule, or search parameter that is missing the reference set ID value, which is generating the error message. If you provide logs to support via a case, we can take a look and figure out why the error message is generated and advise you on how to correct the issue. I haven't seen anyone log an issue against 7.3.1 Patch 8 on this issue, but we can investigate and resolve.