Example: Incoming data spike

Every morning, between 8am and 9am, a company's network experiences a data spike as employees log in and begin to use the network resources.

The company's deployment includes a QRadar 1828 Event/Flow Processor appliance that is allocated 5,000 events per second (EPS) and 100,000 flows per minute (FPM). The average capacity for this appliance is 4,000 EPS and 70,000 FPM.

During the data spike, which peaks around 9am, the appliance routinely receives up to 6,000 EPS and 120,000 FPM. QRadar automatically moves the extra events and flows (1,000 EPS and 20,000 FPM) to the burst handling queue, and generates a system notification to alert the administrator that the appliance exceeded the allocated capacity.

The following images show a two-hour window when the incoming event and flow data exceeds the licensed capacity, which triggers a system notification, and a recovery period after the data volume returns to normal.

Event burst handling spike
Flow burst handling spike
The recovery rate is the difference between the allocated EPS or FPM amount and the current incoming data rate. In this example, when the event and flow rates return to normal, the recovery rate is 1,000 EPS and 30,000 FPM.
5,000 licensed events - 4,000 incoming events = 1,000 EPS recovery rate
100,000 licensed flows - 70,000 incoming flows = 30,000 FPM recovery rate

Offenses are not generated until the data is processed by the appliance, so it is important to allocate enough EPS and FPM to the appliance to ensure that it can recover from a data spike quickly.