Having problems with your account or logging in?
A lot of changes are happening in the community right now. Some may affect you. READ MORE HERE
Highlighted
vdor Absent Member.
Absent Member.
327 views

inActiveList limitations (size of lists)

Does anyone have any guidance about the size of ALs being used in real-time rules using inActiveList filters? For example, if I want to fire an alert when I see traffic from an IP that exists in an AL that contains 1000 entries, is that asking too much?

In addition to real-time alerting, what about for queries? Is there a whitepaper describing best practices?

Labels (1)
0 Likes
Reply
3 Replies
michael.selph Absent Member.
Absent Member.

Re: inActiveList limitations (size of lists)

Evan,

I've not really found an upper limit. I routinely use ALs that contain 1000+ entries in real time rules. I haven't gone much over 20,000 or so, but there was no noticeable impact with that many.

As for queries, I don't have a ton of experience using an Als with a large size in them. Depending on my exact needs, I'd probably use a trend and then schedule a report off of the trend or I would have a real time rule feed an active list and then report off of the AL.

Thanks,

Mike

0 Likes
Reply
tapujals Absent Member.
Absent Member.

Re: inActiveList limitations (size of lists)

Michael is correct. the minimum/default sizing for active lists is 10k entries. They are designed to hold 10k to 100k (or more) pretty safetly - but you might just be active listing too much if you have 100k entries.

0 Likes
Reply
vdor Absent Member.
Absent Member.

Re: inActiveList limitations (size of lists)

Thanks for the replies everyone.

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.