Topic
  • 1 reply
  • Latest Post - ‏2015-06-17T20:13:29Z by Nilesh Patel
TobiasA
TobiasA
7 Posts

Pinned topic How to find expensive Rules?

‏2015-05-27T12:12:08Z |

Occasionally I receive the Message: "Expensive CRE Rule found", so I ran /opt/qradar/support/findExpensiveCustomRules.sh, downloaded the results and opened the .txt file in Excel. Now I have a lot of Columns: AverageExecutionTime, TotalTestTime, ActionsTime, ResponseTime and so on. Is there any documentation on how to interprete these values? What am I looking for in order to find the most expensive rules?

  • Nilesh Patel
    Nilesh Patel
    2 Posts

    Re: How to find expensive Rules?

    ‏2015-06-17T20:13:29Z  

    I usually sort the spreadsheet with AverageExecutionTime and TotalExecutionTime; and start with top 10 to investigate the expensive rules. Keep in mind that, you would need to run findExpensiveCustomRules.sh; when you see CRE queue is dropping events, otherwise spreadsheet won't be helpful to you.