IBM Support

QRadar: About EPS & FPM Limits

Question & Answer


Question

Is the EPS/FPM license limit peak EPS/FPM, or average EPS/FPM?

Answer

 

Is the EPS/FPM license limit peak EPS/FPM, or average EPS/FPM?  
 
Event Per Second (EPS) Licensing
EPS license is applied and processed on a real-time basis, twice per second, on the raw, inbound event stream. Every half second, the system will pull off the allocated number of events, and if there are events left in the queue, they are "Throttled", and held in the queue (buffered) until the next half second period.

If you are over your license limit for more than 50% of the time, during each minute, you will see notifications from QRadar that you are over your license that many times per minute. Data is not being dropped, but it is being throttled or buffered.

For more information on event and flow buffering, see: QRadar Event & Flow Burst Handling (http://www-01.ibm.com/support/docview.wss?uid=swg21687020)


Flow Per Minute (FPM) Licensing
While EPS license are described as a 'per second' value, flow licenses are usually documented as a "per minute" value. This is because flows can have a life span that can traverse multiple seconds, and multiple minutes, or "intervals", and thus, are really being tracked as "sessions" rather than strict, instantly occurring events. Theses sessions, or "flows", are created by the QRadar flow collector components, and then streamed, each minute, to the flow processing pipeline. If the flow collector itself goes over the allocated license (per minute, the unique number of sessions that it can create), it will then create "overflow" records, with a source ip of 127.0.0.4, dest ip of 127.0.0.5, one flow per unique protocol (icmp, udp, tcp, etc), with any remaining bytes & packets in that minute interval, counted into those records.

In the flow processing pipeline, flows are similar to events, in that the "flow license" rate is applied twice per second. A flow per minute license of say, 300,000 flows, would be equivalent to a "per second" rate of 5000. Thus, twice per second, 2500 flows are sent through the pipeline.

Similar to events, if you are over that rate of flows per second, then those records are buffered/throttled. If they are throttled more than 50% of the time, per minute, a notification is then logged and shown in the notification are of QRadar.



How can you tell how much EPS/FPM is left before reaching our license limit?

To determine how close you are to your limit, monitor the "Event Rate (Events Per Second Raw)" graph on the System Monitoring Dashboard in QRadar. This will show you the current data rate, and then compare that to the per-appliance license configuration in your deployment.






When you hit your Event or Flow license limits, data is buffered in memory, and then out to disk, depending on the size and duration of the bursts over your license. After the event rate drops below your license limit, QRadar will continue to run at the maximum licensed rate, which allows QRadar to reduce the events and flows in the burst (buffer) queues.

For example, if your license was 5000 EPS, and your normal rate was 4000 EPS, a burst to 10,000 EPS for 5 seconds would leave 5 x (10000 - 5000 eps), or 25000 events in the buffer. With a normal rate of 4000 EPS, giving you 1000 EPS "overhead" capacity, it would take around 25 seconds to catch up again, assuming no subsequent bursts.

Note: events are always processed in the order they are received in, that does not change. This is described in more detail here: QRadar Event & Flow Burst Handling.

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"Licensing","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions","Edition":"All Editions","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
07 January 2021

UID

swg21963963