IBM QRadar

Hi Team, 

How is the total distribution of EPS made?  Is the total EPS license is used for incoming events @ Event collector only or else the same EPS is splitted for DSMs and CustomRule Engine as well for incoming rates to CRE?​

------------------------------
Gayathri Pulla
------------------------------

Hi,
licensing is done at the Event collector Ingress before the event reaches the DSM or CRE. There can be some give backs later if Routing rules do not Forward the Event to ECS-EP. The follwoing Picture Shows the flow of evnents and flows:



------------------------------
Martin Schmitt
------------------------------

Original Message:
Sent: 03-04-2019 08:07 AM
From: Gayathri Pulla
Subject: How the EPS is divided between EC and CRE in EPS ?

Hi Team, 

How is the total distribution of EPS made?  Is the total EPS license is used for incoming events @ Event collector only or else the same EPS is splitted for DSMs and CustomRule Engine as well for incoming rates to CRE?​

------------------------------
Gayathri Pulla
------------------------------

HI Martin,

Thanks for explanation, but there is default search from qradar to calculate EPS, which uses stats from "statfilter" which essentially gives data after routing rule when logs are about to reach into ecs-ep queue. 

I guess you referring to eps which is calculated based on "source monitor" at the beginning of ECS-EC pipeline.

Refer below article:

https://www.ibm.com/support/pages/qradar-event-rate-eps-graph-may-not-reflect-entire-event-load-system

Also various AQL given to calculate EPS per log source often indicated data from "statflter" when events are about to enter ecs-ep pipeline.

I would appreciate If you can tell which one to use to showcase to customer because there is much confusion still left with this.

Thanks,
Atul

------------------------------
Atul Chaurasia
------------------------------

Original Message:
Sent: Fri March 08, 2019 05:19 AM
From: Martin Schmitt
Subject: How the EPS is divided between EC and CRE in EPS ?

Hi,
licensing is done at the Event collector Ingress before the event reaches the DSM or CRE. There can be some give backs later if Routing rules do not Forward the Event to ECS-EP. The follwoing Picture Shows the flow of evnents and flows:



------------------------------
Martin Schmitt

Original Message:
Sent: 03-04-2019 08:07 AM
From: Gayathri Pulla
Subject: How the EPS is divided between EC and CRE in EPS ?

Hi Team, 

How is the total distribution of EPS made?  Is the total EPS license is used for incoming events @ Event collector only or else the same EPS is splitted for DSMs and CustomRule Engine as well for incoming rates to CRE?​

------------------------------
Gayathri Pulla
------------------------------

This might not provide the "given" answer, but hopefully help your orientation.
As you mentioned, SourceMonitor logs should show the rate at ingest/collection - essentially before processing pipeline. This is also stated in the referenced article, "routing rules and the licensing components occur before StatsFilter values are calculated". I would say that for the sake of discussion you can assume that for internal source QRadar uses internal routing  to achieve the license give back (for dropped events and internal log sources). Thus, the StatsFilter log will show the status after this event routing takes effect.
As you can find in this article
QRadar : License EPS & give back
"Licensed EPS + dropped EPS = EPS rate that is allowed for the next one second."
I'd say question is which way are you leaning on?
(BTW, you might also have the third option - EPMonitor logs if you want to see the storage EPS) .


------------------------------
Dusan VIDOVIC
------------------------------

Original Message:
Sent: Tue December 03, 2019 11:34 AM
From: Atul Chaurasia
Subject: How the EPS is divided between EC and CRE in EPS ?

HI Martin,

Thanks for explanation, but there is default search from qradar to calculate EPS, which uses stats from "statfilter" which essentially gives data after routing rule when logs are about to reach into ecs-ep queue. 

I guess you referring to eps which is calculated based on "source monitor" at the beginning of ECS-EC pipeline.

Refer below article:

https://www.ibm.com/support/pages/qradar-event-rate-eps-graph-may-not-reflect-entire-event-load-system

Also various AQL given to calculate EPS per log source often indicated data from "statflter" when events are about to enter ecs-ep pipeline.

I would appreciate If you can tell which one to use to showcase to customer because there is much confusion still left with this.

Thanks,
Atul

------------------------------
Atul Chaurasia

Original Message:
Sent: Fri March 08, 2019 05:19 AM
From: Martin Schmitt
Subject: How the EPS is divided between EC and CRE in EPS ?

Hi,
licensing is done at the Event collector Ingress before the event reaches the DSM or CRE. There can be some give backs later if Routing rules do not Forward the Event to ECS-EP. The follwoing Picture Shows the flow of evnents and flows:



------------------------------
Martin Schmitt

Original Message:
Sent: 03-04-2019 08:07 AM
From: Gayathri Pulla
Subject: How the EPS is divided between EC and CRE in EPS ?

Hi Team, 

How is the total distribution of EPS made?  Is the total EPS license is used for incoming events @ Event collector only or else the same EPS is splitted for DSMs and CustomRule Engine as well for incoming rates to CRE?​

------------------------------
Gayathri Pulla
------------------------------