This topic tells administrators how to set a memory usage threshold for trial rules. When the threshold is exceeded, all deployed trial rules are disabled.
This procedure is optional. Administrators can increase or decrease the memory threshold for trial rules. Threshold refers to the ESA memory usage, which includes ESA base memory, trial rules and non-trial rules. When the threshold is exceeded, all deployed trial rules on an ESA service are disabled.
You use trial rules to see if a rule runs efficiently and does not use excessive memory, which can impact performance or force the service to shut down.
By default, the memory threshold is 85, which is the percentage of Java Virtual Memory (JVM).
- The memory threshold is per ESA, not per rule.
- When the memory threshold is exceeded, all trial rules running on the ESA are automatically disabled.
- The ESA configuration has two parameters for trial rules:
- MemoryCheckPeriod, which has a default value of 300 seconds
For more information, see Work with Trial Rules in the Alerting Using ESA Guide.
A role with administrative privileges must be assigned to you.
- Log on to Security Analytics as admin.
- In the Security Analytics menu, select Administration > Services.
- Select the ESA service, then > View > Explore.
- On the left, select CEP > Module > configuration.
- In the right panel, in MemoryThresholdForTrialRules type a percentage of JVM that trial rules on the ESA can not exceed.
The new memory threshold takes effect immediately.