IBM QRadar

A few weeks ago we started seeing issues with the /transient folder hitting 90% almost nightly. I disabled all nightly reports and cleared the folder down to 23% last night and it was back up to 75% over night with the larger files being created at 00:30, 01:30, and 02:30. Is there a way to trace back what processes or searches are creating the files. We have not had the issues since we built the environment out years ago. 

We have already tried:

• Addressing the expensive searches
• Disabled QDI
• Deleted large searches from the UI that are no longer needed.
• Followed tech notes to free up additional space in /transient.

Looking for a way to trace back what is creating the files and using up the space.

Hi Russell

If the files are being created at those specific times evry night is there a Cron job set to do something at those times?

What are the names of the files being created?

Thanks

A few weeks ago we started seeing issues with the /transient folder hitting 90% almost nightly. I disabled all nightly reports and cleared the folder down to 23% last night and it was back up to 75% over night with the larger files being created at 00:30, 01:30, and 02:30. Is there a way to trace back what processes or searches are creating the files. We have not had the issues since we built the environment out years ago. 

We have already tried:

• Addressing the expensive searches
• Disabled QDI
• Deleted large searches from the UI that are no longer needed.
• Followed tech notes to free up additional space in /transient.

Looking for a way to trace back what is creating the files and using up the space.

We had one of our customers doing this and it turned out to be the UBA doing some huge searches (200K users).  Once we knew what it was we put expiration on most of the reference sets relating to UBA, 4 month on the dormant for instance.

Hi Russell

If the files are being created at those specific times evry night is there a Cron job set to do something at those times?

What are the names of the files being created?

Thanks

A few weeks ago we started seeing issues with the /transient folder hitting 90% almost nightly. I disabled all nightly reports and cleared the folder down to 23% last night and it was back up to 75% over night with the larger files being created at 00:30, 01:30, and 02:30. Is there a way to trace back what processes or searches are creating the files. We have not had the issues since we built the environment out years ago. 

We have already tried:

• Addressing the expensive searches
• Disabled QDI
• Deleted large searches from the UI that are no longer needed.
• Followed tech notes to free up additional space in /transient.

Looking for a way to trace back what is creating the files and using up the space.