000026984 - How to optimize lookup_and_add queries in RSA Security Analytics

When using lookup_and_add queries, this can result in a vast number of subqueries being generated to complete the task.  Because of this, running these queries can be very performance-intensive and take a long time to complete.

The recommendations below may be used to modify the queries to improve their efficiency.

Modify the maximum pending queries on devices.

1. In the Security Analytics UI, navigate to Administration -> Devices.
2. Select the device (i.e. broker or concentrator) that will be the subject of a query and click on View -> Explore.
3. Navigate to sdk -> config in the directory tree in the left pane.
4. Change the value of the max.pending.queries to be 1000.  (The default is 100)
5. After making the change, restart the services on the appliance.
6. Repeat the above steps for all other devices against which queries will be executed.

Change the lookup_and_add configuration on the Reporting Engine.

1. In the Security Analytics UI, navigate to Administration -> Devices.
2. Select the Reporting Engine that will be the subject of a query and click on View -> Config.
3. Change the lookup_and_add setting to 10.  (The default is 2)

Change the query level for those who are executing the queries.

1. In the Security Analytics UI, navigate to Administration -> Devices.
2. Select the device (i.e. broker or concentrator) that will be the subject of a query and click on View -> Security.
3. Click on the users that wil be making the queries and change the Query Level to 1, which by default allows for a 60 minute timeout on queries.
4. Repeat steps 1-3 for all other devices against which queries will be executed, or use the Replicate button to push the change to the other devices.

If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article ID for further assistance.