Just got off the phone with (Gold) tech support and the tech was unsure where the Events Per Second Summary is on a receiver...We have a ERC-1250 and from my PDF it has a 5,000 EPS cap. So, my question is. Where is this info at on the SIEM? I checked the Receiver statistics page and nothing has the EPS. Tech support looked all around and they could not find it. Last thing we did was a putty session into the receiver and did a DSSUMMARY this pulled some stuff ( had no clue what it was) and we have well over 100 devices added in SIEM (Close to around 170 devices) The only thing the tech said and he wasn't 100% sure said "W/S 10M: 1,812.03 (100) W/S 24h: 1,742.77" he said the (100) was how many data source's we have added?
Does this sound correct? So we have 1,812 EPS? Is there a better way to find this info out rather then a dos looking screen? No statistics page on the receiver in SIEM? This seems really odd since how would users know when to upgrade ERC's or at the EPS cap?
I believe the 'dssummary' command is for troubleshooting but will also display your observed EPS in at the receiver. From my experience, you are unable to check this information from the GUI. So the results from your command show an average of 1812 EPS in over the last ten minutes and a average 1742 EPS in over the past 24 hours. I'm not really sure what the data in the parenthesis represent. I guessed it was a percentage distribution of EPS from all my devices.
One important note:
I'd recommened to calculate your environments peak EPS. Simply put, peak EPS is a calculation based on the number of devices and the max EPS they will generate. Peak EPS is usually what can bring down a SIEM, even if the peak EPS is only observed for a few seconds. There is no industry standard for computing this, but there are whitepapers out there that go into much more detail if you're interested. Just some thing to consider
It would be nice to have some clarity around this. For example, with a polled event source - WMI for example - the events for a relatively long period arrive in a very short period of time. So would a 5000 EPS rated device only be able to handle 5000 events collected over, say, a 5 minute polling period? Or can it handle 1.5 million events collected on one burst?