Average Events per second
Anagha, I'm unclear what you're asking. NetWitness can scale up to any number of events per second. Are you looking for the average events per second a single appliance can ingest? Is it one of our appliances, and if so, which one? Is it a virtual appliance? If so, what environment is it running in (AWS, Azure, ESXi, Hyper-V, etc.) and how many resources have you provided it?
Dear Sean, I am looking for the average events per second an RSA hybrid log appliance can ingest. Checking the log stat the max capture rate is 1,786 EPS.
As per https://community.rsa.com/docs/DOC-53468 , 20K is the sustained EPS on a log hybrid (for Series 5 and Series 6 appliances and 10K for Series 4S).
Your hybrid appliance is so much more capable than collecting events at 1,786 EPS.
Hi James, the 20k figure is the max number of EPS the RSA can handle but the customer is inquiring for the average event per second. The customer is also asking for the average EPS on daily or weekly basis.
20K is the sustained EPS but other factors like parsers, feeds and app rules need to be taken into consideration.
To calculate the average daily EPS, you can run a test rule for last 24 hours with the following simple condition from MONITOR-Reports.
Where: did exists
Dividing the returned session number (per decoder) by 24*60*60 will give you the average EPS for the day.
For weekly average, you just need to adjust time to past 7 days and divide the results by 7*24*60*60.
Thanks for the response.
Kindly clarify also the inquiries below: By the way, we do have an SA, ESA, Log Hybrid and Packet Hybrid in our current setup and the clients wants to know the ff:
1. The EPS of the whole setup (clarify if this EPS includes Packet Decoder)
2. The average capture rate of the Packet decoder.
The EPS for logdecoder, and packet decoder can be found from ADMIN-Services-Stats page for the decoder services. For ESA, please refer to CONFIGURE-ESA Rules-Services-Offered Rate.
The average capture rate for the packet decoder can be calculated in the same way as answered above.
I would suggest opening a case with Support if further clarification is required so that we can show how these can be done.