IBM QRadar

Hi,

While suggesting to customers to buy more EPS license.

Which count we need to consider to request them to procure more license.

Average EPS or Peak EPS?

Will peak EPS really impact on the smooth functioning of EPS?

Hi Tobin,

it depends on many factors. There is a buffer of 5 Gig and events over the license will be stored in that buffer and a soon as the eps is under the license limit again, they will be taken out first in first out. You should never fill up the buffer over 75% and the recovery rate should not be longer than the correlation you use in the rules (if they take longer you might change the rule to refsets)

Best article for that is:

My Question was like . On what basis we need to suggest customers " How many EPS need to purchase based on current traffic flow "

I think this article will be helpful. In support, our performance team put together some AQL queries to help users identify both avg and peak EPS more easily.

I think you need to identify both peak over time, but also determine if there are times when you have sustained peak EPS. As you need to go below your license cap to catch up to events in the butter (first in first out) by time received. The goal is to balance somewhere in the middle or build in some gap for growth as you want to add more log sources. What is peak today might not be peak or avg as you add more log sources or you aren't maintaining what you are dropping with routing rules.

So, I would use this to look at what is average vs peak now and put in a plan for growth in case your top log source is possibly Windows and an admin decides to turn on object level auditing and you get event bombed as you are always over license.

https://www.ibm.com/support/pages/node/6406002

I think it would be good to also add in the Self Analytics monitoring content extension as it will graph some of this data in the Pulse app as a packaged dashboard.