Occasionally I receive the Message: "Expensive CRE Rule found", so I ran /opt/qradar/support/findExpensiveCustomRules.sh, downloaded the results and opened the .txt file in Excel. Now I have a lot of Columns: AverageExecutionTime, TotalTestTime, ActionsTime, ResponseTime and so on. Is there any documentation on how to interprete these values? What am I looking for in order to find the most expensive rules?
Pinned topic How to find expensive Rules?
Nilesh Patel 270006PTYC2 Posts
Re: How to find expensive Rules?2015-06-17T20:13:29ZThis is the accepted answer. This is the accepted answer.
I usually sort the spreadsheet with AverageExecutionTime and TotalExecutionTime; and start with top 10 to investigate the expensive rules. Keep in mind that, you would need to run findExpensiveCustomRules.sh; when you see CRE queue is dropping events, otherwise spreadsheet won't be helpful to you.