IBM Support

QRadar: How to run a searches or report when you get an accumulator error

Troubleshooting


Problem

This technical note describes how to run large saved searches or reports when you get the error message: 'Accumulator out of memory' or 'Accumulator falling behind'.

Symptom

When this issue occurs, QRadar will generate one of the following error messages:

  • Accumulator out of memory (Dashboard notification)
  • Accumulator falling behind (System Notification)
  • The accumulator dropped records (System Notification)


Cause

These message can be caused by using too many columns, using too many grouping by categories or using columns that use a lot of resources like start time or source ports. Columns like this produce to many unique values.

Diagnosing The Problem

If the error messages are infrequent, then the messages can be ignored. As

Resolving The Problem

If you notice these error messages when you run a search or report, you might attempt the following:

  • Reduce the number of columns in your search.
  • Reduce the number of fields in the search that generate unique values such as Source Port or Start time.

Procedure

  1. Log in to the QRadar Console.
  2. Click the Log Activity tab.
  3. From the Columns list, select a field, such as Start Time or Source Port.
  4. Click the < icon to remove a value.

  5. To save the search results use either of the two examples below:

    1. Either click the Save Results check box, add a Search Name and click Search.



    2. Click Search and the from the Navigation bar click Save Criteria.
    3. Click OK.



Where do you find more information?

[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Log Activity","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"Version Independent","Edition":"All Editions","Line of Business":{"code":"LOB24","label":"Security Software"}},{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
16 June 2018

UID

swg21967796

Page Feedback