Troubleshooting rule performance visualization

This reference provides troubleshooting information for rule performance visualization.

Why am I not seeing metrics for a rule?

Table 1. Rule metrics issues
Issue Solution
Performance Analysis is not enabled. Deploy the changes.
Metrics do not display for rules that are not enabled. Works as designed. Metrics display only for enabled rules.
Metrics do not display for offense rules. Works as designed. Metrics are collected only for all event, common, and flow rules.
Metrics do not display for a rule. The rule might be recently modified, which resets the metrics. The metrics are cleared for the rule that you modified. If you don't want the metric to be reset when a rule is resaved, disable Reset Metrics on Rule Change.

Why would I want to change the upper and lower thresholds?

Whether you would want to change the upper and lower threshold limits, depends on what you deem to be an acceptable event per second (EPS) or flows per second (FPS) throughput for your rules. You might want to start with your general system EPS or FPS throughput. Increase your upper threshold limit by a few thousand, and decrease your lower threshold limit by a few thousand. When you change these settings, keep in mind your license and hardware throughput limitations. Your upper limit doesn't need to go above your license or hardware capacity. Typically, as you use this feature to tune your rules, you might want to update the lower limit with a slightly higher value so that you can focus on the under-performing rules.

Example:
  • General EPS load for system: 5,000 EPS
  • Upper Limit: 8,000 EPS
  • Lower Limit: 2,000 EPS

Rules that can process 8,001 EPS or more display three green bars. Rules that can process only 1,999 EPS or lower display 1 red bar. All rules between these ranges are marked with two orange bars. After you tune all of your rules that display red bars and only the orange and green bars display, you can increase the lower limit to 3,000 EPS.

Why does a disabled rule show as expensive?

When rule performance is turned on, previous values might display for disabled rules, which might cause the rule to show as expensive.

If you selected Reset Metrics on Rule Change when you enabled rule performance, reset the metrics for the rule by editing the rule, and then saving it. The metrics are cleared for the rule that you modified.

You can view the metrics for a rule from the Rules page when you move the mouse pointer over the colored bars in the Performance column, and in the Performance Analysis textbox, which is in the lower-right corner of the Rules page. You can also view the metrics for a rule in the Rule Wizard when you edit a rule. The timestamp in the Performance Analysis textbox shows when the metrics for the rule were updated.
Figure 1. Timestamp in the Performance Analysis textbox
Timestamp in the Performance Analysis textbox

For more information about editing rules, see the IBM® QRadar® User Guide.