IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Event coalescing

    Posted Sun May 09, 2021 01:25 PM

    Hi,

    We have a big number of reporting hosts using Wincollect, and therefore a lot of events are being coalesced.

    We don't want to disable the event coalescing as it will add a lot of eps, but there is a specific host which we don't want it's events being coalesced.

    Is there an option to exclude specific host from the event coalescing? or to add additional attribute to the test if the events can be coalesced ?



    #QRadar
    #Support
    #SupportMigration


  • 2.  RE: Event coalescing

    Posted Mon May 10, 2021 03:40 AM

    Hi,

    You can turn on/off the Event coalescing feature on a per log source basis.

    If you want to turn off the Event coalescing for a particular host, go to the log source configuration (you can also use log source management app) of that host and turn off the event coalescing and save the log source configuration.

    Let me know if it helps.

    Thank you.



    #QRadar
    #Support
    #SupportMigration


  • 3.  RE: Event coalescing

    Posted Mon May 10, 2021 09:04 AM

    Hi, thank you for the reply.

    I wanted to know if there is an option to turn the coalescing just for specific host, and not the entire log source.


    Will turning the coalescing off effect the EPS rate ?



    #QRadar
    #Support
    #SupportMigration


  • 4.  RE: Event coalescing

    Posted Sun May 16, 2021 12:35 AM

    Hi,

    One note: Coalescing will not reduce eps usage. License limits are checked BEFORE coalescing. Coalescing will help with performance and disk space usage, however.



    #QRadar
    #Support
    #SupportMigration


Related Content