Summary of
Topic
This article will describe how you will know if you have lost
events due to an exceeding amount of EPS that has come into your AO
environment.
Reminder: If this issue has come up
then It's necessary to purchase a higher EPS limit with your
license. Please contact your Sales Rep in order to get this
resolved.
Steps
1 - Log into AO as the admin user
2 - Go to Analytics > Historical Search
3 - Create a Structured Search using the following
Attributes:
Event Type =
PH_SYSTEM_EVENT_RATE_EXCEED_LICENSE AND System Event Category =
3
4 - The default time frame will go 10 minutes into the past to find
the events, if you would like to move further, you must change the time
parameter.
5 - If you see this event come up -- then it will inform you of
how many events you've dropped.
Resolution: You will want to
discuss this issue with your sales rep in order to upgrade the EPS allowance
in your current AO license. Alternatively, you can also remove
devices from your environment until EPS drops to below the licensed
limit.
Here's an Example of how the Event will
appear:
<174>Aug 28 14:28:50 CO163 phParser[3383]:
[PH_SYSTEM_EVENT_RATE_EXCEED_LICENSE]:[eventSeverity]=PHL_WARNING,[procName]=phParser,[fileName]=parserProcess.cpp,[eventsPerSec]=2868.77,[phLogDetail]=2868.77
events/sec exceeds licensed event rate of 1000 events/sec
NOTE: The amount of events lost in
the event above is 1868.77
(This is: 2868.77 - 1000 =
1868.77)
Additional
Information
NOTE: Pay attention to the hostname
of where the log comes from (eg. This one comes from CO163) This will tell
you where the log comes from and how you can verify which organization may be
generating more eps so you can manipulate your license data from one
collector / organization to another.
Refer also to the description of Elastic EPS and how EPS works in the AccelOps user documentation.
