Question & Answer
Question
Why do events get dropped from a QRadar device that has a routing rule set to Log Only (Exclude Analytics) when incoming events are more than the allocated Events Per Second (EPS) on the QRadar device?
Answer
Let's consider that a QRadar device with a license of 500 EPS.
Let's also assume the incoming event rate to be 1000 EPS, and all the incoming events are set to Log Only (Exclude Analytics) in the routing rules.
Though "Log-only" option does not consume license effectively, but there could be events dropped in this situation.
The reason for the observation is the fact that the license throttle happens before the events are routed by the routing rules. Thus, the additional EPS causes the license exceeded the threshold message to occur and events to drop.
For more information about QRadar components and QRadar events & flows, refer to the following article:
Even-though, Log Only (Exclude Analytics) credits back 100% to the license as part of license giveback. It is valid only when events that match the Log Only (Exclude Analytics) routing rule is less than or equal to the EPS allocated on that system.
For more information on routing rules, review Configuring routing rules to use the QRadar Data Store.
For more information on routing rules, review Configuring routing rules to use the QRadar Data Store.
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"},{"code":"a8m0z000000cwtEAAQ","label":"Log Activity"},{"code":"a8m0z000000cwtiAAA","label":"Performance"}],"ARM Case Number":"TS010169382","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
30 June 2023
UID
ibm17003565