For large watchlists I have always done an import using a Cyberthreat feed (TAXII), this is also one of the only ways to do back tracing. I am surprised your ESM had problems with the NFS import, it's always worked sufficiently fine for me.
Do you have a lot of operations on your SIEM?
Could you run `iostat -dhxm 10` and wait about 1 minute then CTRL-C and paste or message me the results?
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.
Community Help Hub
New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.