Highlighted
Super Contributor.. Super Contributor..
Super Contributor..
422 views

Increase the maximum number of events in a case

Jump to solution

Hello,

Is it possible to increase the maximum number of events included in a case ?

I think the limit is 1000 or 2000 events which is quite low. I want to increase it to something like 5000 events.

Tags (3)
0 Likes
1 Solution

Accepted Solutions
Highlighted
Acclaimed Contributor.. Acclaimed Contributor..
Acclaimed Contributor..

There is a property "rules.max_events_in_case" which is defaulted to 1000 in server.defaults.properties.  You should be able to override that to another value, just put it in server.properties.

View solution in original post

3 Replies
Highlighted
Visitor..
Visitor..

If you are talking about aggregation correlated events in a case its not a good practice to to aggregate 1000 events in a rule it would be a bottleneck to have so many events waiting in queue. Even increasing number of events in a case through would not be a good practice would lot of time to load those in the console and will be difficult to keep track of them.

0 Likes
Highlighted
Super Contributor.. Super Contributor..
Super Contributor..

I am not talking about aggregated more than 1000 events in a rule.
I am talking about the number of events in a case.
For example if a rule triggers when 100 specific events occured, then a case is created and these 100 events are added in the case.
Then if the rule triggers later, so 100 new events are added in the same case.
So you can easily reach the maximal number of events included in a case.
Where can I change this maximal number in the ArcSight configuration ?

0 Likes
Highlighted
Acclaimed Contributor.. Acclaimed Contributor..
Acclaimed Contributor..

There is a property "rules.max_events_in_case" which is defaulted to 1000 in server.defaults.properties.  You should be able to override that to another value, just put it in server.properties.

View solution in original post

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.