Historical Query returns events with duplicate ID's

  • 3673909
  • 29-Jan-2007
  • 26-Apr-2012


Sentinel 5.1.3
Windows 2003, 2000
Oracle 9i


When performing a historical query for a given amount of time, unexpected results are returned. A historical query for the past 30 minutes that should normally return 100 events, returns as much as 8000 events with duplicate ID's.

The problem here is that there are multiple query_manager processes registered with Sonic. In several cases customers will install components of Sentinel on different machines. When installing these components they will sometimes inadvertently install multiple Query Managers. There should be only one query_manager process registered with sonic otherwise when a historical query is submitted multiple query_manager processes that are registered with Sonic will attempt to fulfill the request. The result is an increased amount of time for the return results and multiple duplicate ID's.


First you need to verify whether or not multiple query_manager processes are registered in Sonic.

1.)Login to the Sonic Management Console, (located in %ESEC_HOME%\3rdparty\SonicMQ\MQ6.1\bin for Windows or $ESEC_HOME/3rdparty/SonicMQ/MQ6.1/bin for *nix.
2.) Click on the Manage Tab
3.)Expand the containers file, -> esecContainer, ->esecBroker, -> highlight the Connections.
4.)You will see a query_manager connection set with the hostID or IP address associated. There will be 3 per HostID or IPAddress, (see image below)
5.)If there are more than 1 set of query_manager processes, note the hostID or IPAddress and remove that process from those individual machines.