IBM QRadar

 View Only

 Default retention bucket purged 6 months+ of data

Taofeek Isiaka-Aliagan's profile image
Taofeek Isiaka-Aliagan posted Tue May 27, 2025 03:26 AM

Hi, I recently ran into an issue where indexed event data on QRadar was deleted due to the retention policy period. Now, over six months of indexed event data is missing. I can confirm that the raw logs (payload) are stored in the /store/ariel database. My question is: is there a way to refeed these raw logs into the system to index and normalize so that I can now have historical indexed data that I can query?

Juan Paulo's profile image
Juan Paulo posted Wed May 28, 2025 11:23 AM

Hi you can use the ariel_offline_indexer.sh on your box, you can see the details on this technote https://www.ibm.com/support/pages/qradar-how-use-arielofflineindexersh.
I would like to suggest a couple of things:

  • Storing indexes for 6 months will take a LOT of disk space on your EPs/FPs/Console, so I would recommend make it incremental
  • Generating those indexes will consume a LOT of CPU and IO, so your box should have available resources to run the command, or you should use it during low usage times.
  • Executing a query to search though 6 month, if there is a lot of data, will take a lot of time, even if that data it's indexed. So figure it out if you really need that.
  • Searching the data 6 month back, without indexes will still find what you're looking for, so it's not mandatory to have indexes to find the data.
  • Tune your index attributes an queries, if you create a search in the wrong way, even if the data it's indexed then the query will have to review all the data.

Regards

Related Content