There is no limit nor any hardcoded limit. The system will parse any enabled property, until the system experiences performance issues. If performance issues occur, the appliance can alert the admin to a poorly performing custom event property or disable a property if it is causing issues on the managed host.
If this occurs, you'll see the following system notifications:
- QID 38750138 - Performance degradation was detected in the event pipeline. Expensive custom properties were found.
- QID 38750097 - A custom property has been disabled.
We typically advise that users check system notifications to confirm if these have been occurring. You can always do a QID search from the Log Activity > Add Filter > QID equals 38750097 to determine if you need to review or reenable a custom property. It is not a bad idea to review occurrence of the disabled CEP QID 0097 occasionally in case another admin has been clearing notifications.
#QRadar#Support#SupportMigration