Report on EPS per source device.
I'm trying to figure out the best way to report on EPS per device. When I say per device, I mean per each individual log source not connector.
I am doing some troubleshooting as I've just discovered a 20k EPS increase in the last few days and it has remained consistent. The dashboard graphs are nice but don't show which sources have started sending more EPS, it only shows the connector/receiver info.
I'm trying to create a query/report that will show sourceAddress and events per second but there are a few issues:
1. Not really a great field to use for EPS/Count. I've tried baseEventCount field but that isn't producing anything useable.
2. Not sure that you can even report on EPS from a historical sense outside of dashboard graphs
3. EPS is a dynamic # so not sure if i'm even looking at this the right way.
Basically I need to see which sources are now sending increased number of EVENTS. If anyone has any ideas or guidance they can provide, that would be greatly appreciated! Oh, and of course, time is of the essence!!!
Thank you in advance!
I think you should have a look at the Device Status Monitoring option available on the connectors.
It will enable event agent:043 which states how many events per device are received, set Preserve System Health Events to YES on connectors (in ESM/ArcMc). Also configure interval for Enable Device Status Monitoring. A good interval might be 5 minutes, so you can deduct EPS averages per 5 minutes.
After performing the Rudi's suggestion. Please refer the below threat on creating content:
Better to use a trend with the above EPS query with (type!=correlation) along with the above condition to see the EPS trend changes via a reporting