As you run queries on the Concentrator and/or Broker (through the UI "Investigate tab" or queries that are run by the Reporting Engine), slowness may occur. As the complexity of the query increases, it may cause the query to run over longer periods of time. This can cause the query to reserve and uses larger amounts of resources (Memory).
In this case, you must identify the top queries consuming resources for fine-tuning purposes.
To identify top queries running on a Concentrator or Broker, review the following.
Run the below command from the Concentrator's or Broker's SSH session. It will show from the Nwconsole the following information based on the number of top queries being requested: Query Syntax, Time to Run, and the % of Memory Utilized.
Command: NwConsole -c topquery input=/var/log/messages top=<top number of queries>
Example of Command Output [root@lconcentrator ~]# NwConsole -c topquery input=/var/log/messages top=5 RSA NetWitness NextGen Console 188.8.131.52 Copyright 2001-2020, RSA Security Inc. All Rights Reserved.