We are working working on defining Average EPS utilization on collectors after observing EPS overflow alerts in our RSA enVision setup.
In order to identify the Average EPS on collectors we are using below NIC message ID which is getting triggered after each 10 sec from each collectors showing throughput/sec.
%NIC-6-400023: Collector, Collector, -, -, -, -, Detail: 1896: Throughput: 1615 events/second
Using this message ID we have created report & it has been observed that during peak hours EPS is Approximate 3500- 4000.
To define the average EPS on collectors we have taken the average of this messages on per hour , per 30 min , per 15 min bais .
This is not helping us to identify the correct average EPS since even though taking 15 min average max Average EPS is not crossing 2500 which is not correct Average EPS.
Can anyone help me to identify the best practice to define average EPS utilization on collectors. Also I would like to know what should be threshold limit to upgrade the EPS license or installing new collectors.