|Applies To||RSA Security Analytics|
RSA NetWitness NextGen
RSA NetWitness NextGen 9.8
|Issue||How to troubleshoot slow query performance on RSA Security Analytics concentrators and brokers.|
Steps for troubleshooting slow query performance issue on concentrators and brokers in Security Analytics.
How do I improve query performance in Security Analytics?
If you suspect that Investigation is slow and that the queries are taking awhile then use the following steps to determine the possible cause.
Broker will send queries to upstream concentrators, so most time the issues are on the concentrators, not on the broker.
If suspected Broker issues (e.g, it is only slow on broker when investigating but not on concentrators) index reset on broker will do the trick sometimes. To do index reset on Broker, do it this way through nwconsole of thick NwAdmin client or manually:
Check /sdk/stats/queries, watch how many queries are running currently and their progress. Usually values calls will take long time (these queries with query-type as ?value?), and ?status? will tell some details ( E.g, slowly scanning index page etc.). We will be able to identify the concentrators that runs the queries long time from this node as well.
- Then if it?s really stuck, force a core dump. kill -SEGV (concentrator PID), get the current running version number and core dump file for offline troubleshooting.
- If we identify the bottleneck is on the capacity of the concentrator for 10.2 system, a new feature in 10.3 (concentrator gang) can be considered when upgrading the system. Basically the multiple concentrators can connect to one decoder so that the query later from the broker can be load balanced between these middle-level concentrators.
|Legacy Article ID||a64824|