Troubleshooting
Problem
The QRadar system notifications repeatedly reports "Performance degradation has been detected in the event pipeline. Events were routed directly."
There are two situations in which the Performance Degradation notification is generated; the performance degradation can occur at the ecs-ec service level (Device Parsing) or the ecs-ep service (Custom Rule Engine).
In this article, we discuss the Performance Degradation at the Device Parsing level.
Symptom
- Events show up with a Low-Level Category of Stored in the Log Activity tab.
- Errors similar to the following appear in the qradar.error log on the Event Collector where the event was received:
com.ibm.si.ec.filters.normalize.DSMFilter: [WARN] [NOT:0080004101][xxx.xxx.xxx.xxx/- -] [-/- -]Device Parsing has sent a total of 18603 event(s) directly to storage. 18603 event(s) have been sent in the last 60 seconds. Queue is at 99 percent capacity. - From the UI, we can see the following Alert: "Performance degradation has been detected in the event pipeline. Events were routed directly":
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB77","label":"Automation Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtiAAA","label":"Performance"}],"ARM Case Number":"TS010960943","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Log InLog in to view more of this document
This document has the abstract of a technical article that is available to authorized users once you have logged on. Please use Log in button above to access the full document. After log in, if you do not have the right authorization for this document, there will be instructions on what to do next.
Was this topic helpful?
Document Information
Modified date:
10 January 2023
UID
ibm16831349