Event processing performance

Your IBM® QRadar® configuration might impact the event processing pipeline.

Event processing can be affected by DSM extensions, custom properties, rule tests, and global views. Event parsing and the custom rules engine automatically detect dropped events, run self-monitoring diagnostics, and report which DSM extensions, rules, and properties are slow.

Non-optimized custom properties

Custom properties are marked as optimized when they are regularly used for QRadar rules or for searching and filtering.

Non-optimized custom properties are parsed by the system, which affects search speeds and the loading rate of the web browser.

Rule tests that impact performance

Rules that test for regular expressions in an event payload affect QRadar performance because they search the entire payload.

Before you add a payload test to a rule, use rule filters to reduce the number of events. For example, when you search for a specific message in the active directory logs, apply the following filters to the rule:

Log source type filter
Log source group or specific log source filter
An optional source IP address filter

The Host with port open test can impact performance because it compares passive and active ports with the events and flows that are received by QRadar. Before you use the test, do a bidirectional check to ensure that the host responds to the communication request.

Global views

A saved search that is grouped by multiple fields generates a global view that has many unique entries. As the volume of data increases, disk usage, processing times, and search performance can be impacted.

To prevent increasing the volume of data, only aggregate searches on necessary fields. You can reduce the impact on the accumulator by adding a filter to your search criteria.