|Applies To||RSA Product Set: Security Analytics|
RSA Product/Service Type: Security Analytics UI, Decoder, Concentrator, Archiver
RSA Version/Condition: 10.5.x
|Issue||After upgrading to Security Analytics 10.5.x from 10.4.x, investigations experience poor performance. |
Meta values which previously loaded quickly in 10.4.x may take 5-10 minutes or longer to load.
|Cause||This issue occurs because the index database slicing was changed between versions 10.4.x and 10.5.x, wherein size-based slice rolls were introduced to replace the time-based index slice rolls.|
In earlier releases, the use of size-based index slicing caused indexes to roll every 8 hours, regardless of how much data was contained in the index slice.
While this model is suitable for high bandwidth utilization, when Concentrators, Decoders, or Archivers are under light load it may cause the index partition to contain a very large number of very small index slices.
These tiny index slices require open operations in the Investigation module to traverse a great number of indexes to retrieve the same amount of information.
|Workaround||As explained in the Security Analytics 10.5 Core Database Tuning Guide, under certain circumstances the only way to rectify extreme performance sluggishness in investigations after upgrading to Security Analytics 10.5.x is to perform a core appliance database reindex.|
NOTE: No data can be collected on decoders while a reindex is being performed.
Depending on the amount of data, the reindex may take several days to complete on a loaded Concentrator or Decoder, and may potentially take several days on an Archiver as well.
For instructions on performing a manual index on a Concentrator, Decoder, or Archiver appliance, refer to the article entitled How to Index Reset an RSA Security Analytics Appliance in Explore View.