Scribd
Upload
139 views2 pages

EPS Query

The document provides various AQL queries to calculate Events Per Second (EPS) based on different time intervals (1 day, 1 hour, 7 days) and by event name or log source. It also includes instructions for checking EPS for specific event IDs and log source types, as well as guidelines for monitoring license pool configurations in QRadar. Additionally, it highlights the importance of managing EPS limits to avoid throttling of events.

Uploaded by

OPINION By JJafri
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
139 views2 pages

EPS Query

The document provides various AQL queries to calculate Events Per Second (EPS) based on different time intervals (1 day, 1 hour, 7 days) and by event name or log source. It also includes instructions for checking EPS for specific event IDs and log source types, as well as guidelines for monitoring license pool configurations in QRadar. Additionally, it highlights the importance of managing EPS limits to avoid throttling of events.

Uploaded by

OPINION By JJafri
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 2

one DAY EPS CHECK

#select DATEFORMAT(devicetime,'dd-MM-yy') as 'Date', sum(eventcount)/86400 as


'Event Count' from events GROUP BY 'Date' START '2022-12-01 00:01' STOP '2022-12-01
23:59'

one hour EPS CHECK


#select DATEFORMAT(devicetime,'dd-MM-yy') as 'Date', sum(eventcount)/3600 as 'Event
Count' from events GROUP BY 'Date' START '2022-04-04 12:00' STOP '2022-04-04 13:00'

AQL Query to calculate the EPS by Event Name, Last 7 days


#SELECT QIDNAME(qid) As "Event Name", "EventID" AS "Event ID",
LOGSOURCENAME(logsourceid) AS "Log Source", LOGSOURCETYPENAME(devicetype) AS "Log
Source Type", CATEGORYNAME(category) AS Category, COUNT(*) AS "Number of Events",
SUM(eventcount)/(7*24*60*60) AS "EPS by Event Name" FROM events WHERE
LOGSOURCETYPENAME ( devicetype ) = 'Microsoft Windows Security Event Log' GROUP BY
"Event Name", "Log Source", "Log Source Type", "Event ID" ORDER BY "Number of
Events" DESC LAST 7 Days

AQL Query to calculate the EPS by Event Name, Last 1 day


#SELECT QIDNAME(qid) As "Event Name", "EventID" AS "Event ID",
LOGSOURCENAME(logsourceid) AS "Log Source", LOGSOURCETYPENAME(devicetype) AS "Log
Source Type", CATEGORYNAME(category) AS Category, COUNT(*) AS "Number of Events",
SUM(eventcount)/(24*60*60) AS "EPS by Event Name" FROM events GROUP BY "Event
Name", "Log Source", "Log Source Type", "Event ID" ORDER BY "Number of Events"
DESC LAST 1 Days

AQL Query to calculate the EPS by Event Name, Last 1 hour


#SELECT QIDNAME(qid) As "Event Name", "EventID" AS "Event ID",
LOGSOURCENAME(logsourceid) AS "Log Source", LOGSOURCETYPENAME(devicetype) AS "Log
Source Type", CATEGORYNAME(category) AS Category, COUNT(*) AS "Number of Events",
SUM(eventcount)/(60*60) AS "EPS by Event Name" FROM events GROUP BY "Event Name",
"Log Source", "Log Source Type", "Event ID" ORDER BY "Number of Events" DESC LAST
1 HOURs

AQL Query to calculate the EPS by Log source , Last 1 day


#SELECT LOGSOURCENAME(logsourceid) AS "Log Source", SUM(eventcount) AS "Number of
Events in Interval", SUM(eventcount) / 86400 AS "EPS in Interval" FROM events GROUP
BY "Log Source" ORDER BY "EPS in Interval" DESC LAST 24 HOURS
# Search : GROUP by Log Source | COLUMNS by Event Count

AQL Query to calculate the EPS by Log source , Last 7 days


# SELECT LOGSOURCENAME(logsourceid) AS "Log Source", SUM(eventcount) AS "Number of
Events in Interval", SUM(eventcount) / (7*24*60*60) AS "EPS in Interval" FROM
events GROUP BY "Log Source" ORDER BY "EPS in Interval" DESC LAST 7 DAYS

AQL Query to calculate the EPS by Log source for Any day
SELECT LOGSOURCENAME(logsourceid) AS "Log Source", SUM(eventcount) AS "Number of
Events in Interval", SUM(eventcount) / 86400 AS "EPS in Interval" FROM events GROUP
BY "Log Source" ORDER BY "EPS in Interval" DESC START '2022-11-25 00:01' STOP
'2022-11-25 23:59'

To check EPS for Event ID 5156


#SELECT QIDNAME(qid) As "Event Name" , SUM(eventcount)/(60*60) AS "EPS by Event
Name" FROM events WHERE "Event ID" = 5156

To check EPS for Log source type last 1 hour


#SELECT LOGSOURCETYPENAME(devicetype) AS "Log Source Type", COUNT(*) AS "Number
of Events", SUM(eventcount)/(60*60) AS "EPS by log source Type" FROM events GROUP
BY "Log Source Type" ORDER BY "Number of Events" DESC LAST 1 HOURS

#SELECT LOGSOURCETYPENAME(devicetype) AS "Log Source Type", COUNT(*) AS "Number of


Events", SUM(eventcount)/(86400) AS "EPS by log source Type" FROM events GROUP BY
"Log Source Type" ORDER BY "Number of Events" START '2023-07-06 00:01' STOP '2023-
07-06 23:59'

CHECK ERROR LOG SOURCES


Linux OS : ; LinuxServer @ admin-portal ; LinuxServer @ asvmkhvmdct0010
Win OS : 172.16.24.183 WEBTECH ;

Critical apps ; Security devices ; NW devices ; DBs ; Linux ; Win Servers


1k EPS: AD, EPP, core-FWs, core-switches,routers, Fortigate, WAF , LB, Xchange-OS
initial , Critical Win OS, Linux OS Scope for 750 EPS Critical: Xchange
app, EFA, DBs itself, FMC-DC

Microsoft Xchange Server : 400-500 Bluecoat : 100-200 IronPort : 100-200 Critical


apps : 200-300 FTD-STP & FMC-DC : 20

First check your License Pool Configuration.Go to Admin>System and License


Management>Display "Licenses" then click Licence Pool Management to check your EPS
Allocation.
As Qradar Documentation says "EPS license is applied and processed on a real-time
basis, twice per second, on the raw, inbound event stream.
Every half second, the system will pull off the allocated number of events, and if
there are events left in the queue, they are "Throttled", and held in the queue
(buffered) until the next half second period.
If you are over your license limit for more than 50% of the time, during each
minute, you will see notifications from QRadar that you are over your license that
many times per minute.
Data is not being dropped, but it is being throttled or buffered." In Short, "
Event Rate (Events Per Second Raw) " applies on licensing.

GRAPH:
https://www.ibm.com/support/pages/qradar-event-rate-eps-graph-may-not-reflect-
entire-event-load-system

** Events per Second Raw - Average 1 Min

You might also like