Capacity sizing

The best way to deal with spikes in data is to ensure that your deployment has enough events per second (EPS) and flows per minute (FPM) to balance peak periods of incoming data. The goal is to allocate EPS and FPM so that the host has enough capacity to process data spikes efficiently, but does not have large amounts of idle EPS and FPM.

When the EPS or FPM that is allocated from the license pool is very close to the average EPS or FPM for the appliance, the system is likely to accumulate data in a temporary queue to be processed later. The more data that accumulates in the temporary queue, also known as the burst-handling queue, the longer it takes QRadar to process the backlog. For example, a QRadar host with an allocated rate of 10,000 EPS takes longer to empty the burst handling queue when the average EPS rate for the host is 9,500, compared to a system where the average EPS rate is 7,000.

Offenses are not generated until the data is processed by the appliance, so it is important to minimize how frequently QRadar adds data to the burst handling queue. By ensuring that each managed host has enough capacity to process short bursts of data, you minimize the time that it takes for QRadar to process the queue, ensuring that offenses are created when an event occurs.

When the system continuously exceeds the allocated processing capacity, you cannot resolve the problem by increasing the queue size. The excess data is added to the end of the burst handling queue where it must wait to be processed. The larger the queue, the longer it takes for the queued events to be processed by the appliance.