IBM Support

QRadar: Understanding EPS Average, EPS PEAK, and License Threshold

Troubleshooting


Problem

The EPS (Events Per Second) rate is one of the most important performance metrics in QRadar. This metric is critical to assess whether a QRadar deployment is scaled and licensed correctly for the event volume received. Licensing based on EPS rate is enforced at the ecs-ec-ingress process.

Diagnosing The Problem

When administrators use the default dashboard graphs in QRadar, the values like License Threshold, EPS Peak times, or EPS Average time for Events Per Second (EPS) might not be accurate.
For example, there are conditions with Quick Search Event Rate (EPS) which does not always provide accurate results. A better metric for EPS calculations is suggested by using Linux scripts from the command-line method.

Resolving The Problem

This command provides you with a live output of the current EPS Average, EPS PEAK, and License Threshold on your deployment:
grep Incoming /var/log/qradar.log | grep ecs-ec-ingress.ecs-ec | grep -v flow | awk '{print $1,$2,$3,"60s EPS Average:",$29,"60s EPS PEAK:",$42,"License Threshold:",$66}'
This produces metrics similar to:
EPS
  • EPS Average: This is the current number of events processed in the last 60 sec. To avoid performance issues or events from being dropped, this number must not exceed the License Threshold.
  • EPS Peak: The peak in the last minute is used for tracking over license issues and spikes that cause performance issues. To avoid performance issues or events from being dropped, this number must not exceed the License Threshold
  • License Threshold: This value represents the number of events that you are licensed to process in QRadar 

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtEAAQ","label":"Log Activity"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
20 December 2023

UID

ibm17100982

Page Feedback