ESP Calculations via API:
(1)API does NOT count unparsed events(Not tagged to any log source)
(2)API is extracting information from the Log Source Management Tab. The log sources page has a column titled 'Average EPS' against each log source.This average is rolling value as events continue to come.
(3)This ‘Average EPS’ per log source is calculated from the moment log source starts receiving events till current time which is picked by API.
(4)This average value will keep changing as incoming data changes. A spike in incoming event will change the value
EPS Calculations via AQL Query:
(1)AQL Query mentioned includes the unparsed events.
(2)AQL query is extracting events from the backend Ariel database.
(3)This query can be performed on parsed events or raw events.
(4)Query can be modified to extract average EPS for last 60 seconds, 5 minutes, 60 minutes etc.
(5)If you exclude unparsed events from the AQL query then the count at that time will be similar to the API query.(Remember API value is always changing since its rolling average while AQL output is fixed for that instance in time)
Graphs on dashboard also provide average EPS:
https://www.ibm.com/support/pages/qradar-event-rate-eps-graph-may-not-reflect-entire-event-load-system
Also note that API and AQL queries values will also change if pipeline is experiencing issues (stored events, dropped events, performance degradation etc.)
Refer to following two online documents for generating reports for EPS:
Link: https://www.ibm.com/support/pages/qradar-determining-events-second-rate-each-log-source-qradar
Link: https://www.ibm.com/support/pages/qradar-report-display-log-sources-and-total-events-log-source
#QRadar#Support#SupportMigration