Event processing performance
Your IBM® QRadar® configuration might impact the event processing pipeline.
Event processing can be affected by DSM extensions, custom properties, rule tests, and global views. Event parsing and the custom rules engine automatically detect dropped events, run self-monitoring diagnostics, and report which DSM extensions, rules, and properties are slow.
Non-optimized custom properties
Custom properties are marked as optimized when they are regularly used for QRadar rules or for searching and filtering.
Non-optimized custom properties are parsed by the system, which affects search speeds and the loading rate of the web browser.
Rule tests that impact performance
Rules that test for regular expressions in an event payload affect QRadar performance because they search the entire payload.
- Log source type filter
- Log source group or specific log source filter
- An optional source IP address filter
The Host with port open test can impact performance because it compares passive and active ports with the events and flows that are received by QRadar. Before you use the test, do a bidirectional check to ensure that the host responds to the communication request.
Global views
A saved search that is grouped by multiple fields generates a global view that has many unique entries. As the volume of data increases, disk usage, processing times, and search performance can be impacted.
To prevent increasing the volume of data, only aggregate searches on necessary fields. You can reduce the impact on the accumulator by adding a filter to your search criteria.