How To
Summary
When a system has a spike in EPS exceeds the allocated license of the host, QRadar sends the excess events into the spillover queue. These events are processed once the incoming EPS is less than the license threshold. As a result, when a host's EPS exceeds it's license threshold, it is not possible to detect by using the standard time-based filters in the log activity (for example Last 12 hours), since QRadar searches use Storage Time by default.
In order to detect the log sources causing an EPS rate spiking over the license, it is better to use the Log Source time, which is the time the event payload was generated at its source.
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB77","label":"Automation Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSV4BL","label":"IBM QRadar"},"ARM Category":[{"code":"a8m0z000000cwtEAAQ","label":"Log Activity"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"},{"Product":{"code":"SSTZMA","label":"QRadar Appliance Hardware"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"LOB77","label":"Automation Platform"}}]
Log InLog in to view more of this document
This document has the abstract of a technical article that is available to authorized users once you have logged on. Please use Log in button above to access the full document. After log in, if you do not have the right authorization for this document, there will be instructions on what to do next.
Was this topic helpful?
Document Information
Modified date:
24 March 2023
UID
ibm16848875