IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  EPS consumption

    Posted Wed October 13, 2021 04:26 PM

    Hello,

    I am trying to get an "accurate" value about the EPS consumption.

    There are two types of logs that report EPS values: StatFilter:

    [ecs-ec.ecs-ec] [[type=com.q1labs.semsources.filters.stat.StatFilter][parent=example.lab:ecs-ec/EC/Processor2]] com.q1labs.semsources.filters.stat.StatFilter: [INFO] [NOT:0000006000][IPADDRESS/- -] [-/- -] Events per second: 1s:5,5 (peak 600,600) (compression: 0%) 5s:1,1 (peak 455,455) (compression: 0%) 10s:61,61 (peak 416,416) (compression: 0%) 30s:104,104 (peak 345,345) (compression: 0%) 60s:130,130 (peak 303,303) (compression: 0%)

    and SourceMonitor:

    [ecs-ec.ecs-ec] [64d53789-ea65-4c68-a350-de1b8786c143/SequentialEventDispatcher] com.q1labs.sem.monitors.SourceMonitor: [INFO] [NOT:0000006000][IPADDRESS/- -] [-/- -]Incoming raw event rate (5s: 2.80 eps), (10s: 2.60 eps), (15s: 104.87 eps), (30s: 70.07 eps), (60s: 98.52 eps), (300s: 136.98 eps), (900s: 136.98 eps). Peak in the last 60s: 376.80 eps. Max Seen 727.40 eps. EC Throttles/5s (60s: 0.00). Total EC Throttles in the last 60s: 0. Total EC Throttles: 0. License Threshold: 4025.00

    I noticed that the SourceMonitor events usually have higher values than the StatFilter events.

    Which one has the closest value to the real EPS consumption?

    In terms of the event pipeline, which one comes first: the SourceMonitor or the statFilter?

    Thanks,

    Salma



    #QRadar
    #Support
    #SupportMigration


  • 2.  RE: EPS consumption

    Posted Wed October 13, 2021 04:57 PM

    The SourceMonitor value is detected before any kind of analysis is applied by the various qradar engines, so it contains not only the EPS given by the logs received from the Log Source but also the 50-55EPS of logs generated by the collector itself (Health Metrics and the like) and any giveback given by any routing rules; this is why the StatFilter is always lower, because it should give you a "clean" value from all the extras (system logs+routing rules), but in reality I never get the numbers, probably because of the average calculations it makes. Let's say that the most accurate value is the source monitor but you always have to remember to subtract the giveback to get the exact value. I normally count the SourceMonitor value over 60 seconds (also because the log is generated every 60 seconds) and the Peak EPS by subtracting the giveback (tail -f /var/log/qradar.log | grep giveback). Peak EPS is more useful if you are in a multi-tenant environment, otherwise the value for the last 60 seconds is sufficient.

    This link would be useful:

    https://www.ibm.com/support/pages/qradar-event-rate-eps-graph-may-not-reflect-entire-event-load-system#about

    Rocco



    #QRadar
    #Support
    #SupportMigration


  • 3.  RE: EPS consumption

    Posted Wed October 13, 2021 05:33 PM

    Just to add on to what Rocco posted.

    This is a really good article that you should take a look at as we often get this question in support about Peak vs Avg in support. These queries used in the technical note look at the metric ID values from the payloads of the Health Metrics DSM.

    QRadar: How to troubleshoot peak Events Per Second



    #QRadar
    #Support
    #SupportMigration


  • 4.  RE: EPS consumption

    Posted Thu October 14, 2021 09:49 AM

    Thanks Support Member,

    It is less ambiguous for me now.

    However, when i try to do the math with those values i get lost again.

    Example of values from the system logs in minute X:

    SourceMonitor (60s) = 5821

    StatFilter (60s) = 1855

    Giveback = 1367

    EPS for external log sources in minute X = 1809

    Now, I would say that the "accurate" EPS is the one from StatFilter.

    but, the sum of StatFilter and the Giveback is way less than the SourceMonitor (3222 <<< 5821 ) I wonder where the 2599 EPS are?


    Thanks again.

    Salma



    #QRadar
    #Support
    #SupportMigration


Related Content