Change Memory Threshold for ESA RulesChange Memory Threshold for ESA Rules
The following procedures pertain to setting memory thresholds for ESA rules to prevent them from using excessive memory.
Change Memory Threshold for All Trial RulesChange Memory Threshold for All Trial Rules
This procedure is optional and applies only to ESA Correlation Rules.
Administrators can increase or decrease the memory threshold for trial rules. Threshold refers to the ESA memory usage, which includes ESA base memory, trial rules, and non-trial rules. When the threshold is exceeded, all deployed trial rules on an ESA service are disabled.
You use trial rules to see if a rule runs efficiently and does not use excessive memory, which can impact performance or force the service to shut down.
By default, the memory threshold is 90, which is the percentage of Java Virtual Memory (JVM).
- The memory threshold is per ESA, not per rule.
- When the memory threshold is exceeded, all trial rules running on the ESA are automatically disabled.
- The ESA configuration has the following parameters for trial rules:
- fatal-percentage: If memory rises above this percentage, ESA disables trial rules. For example, if fatal-percentage is set to 90, when memory rises above 90 percent, ESA disables trial rules.
- check-every: This parameter determines how often ESA checks the fatal-percentage to disable trial rules.
For more information, see "Work with Trial Rules" in the Alerting with ESA Correlation Rules User Guide.
Prerequisites
A role with administrative privileges must be assigned to you.
To change memory threshold for trial rules:
- Log on to NetWitness as admin.
- Go to (Admin) > Services.
- Select the ESA Correlation service and then select > View > Explore.
- In the Explore view node list, select correlation > health.
- In the right panel, in fatal-percentage, type a percentage of JVM that trial rules on the ESA cannot exceed.
The new memory threshold takes effect immediately. - If necessary, you can also adjust the check-every parameter, which determines how often ESA checks the fatal-percentage to disable trial rules. By default, ESA checks the fatal-percentage every 15 minutes.
Change Memory Threshold for Individual Trial Rules and Non-Trial RulesChange Memory Threshold for Individual Trial Rules and Non-Trial Rules
Note: This option is available in NetWitness Platform version 11.5 and later.
In addition to setting a memory threshold for all trial rules, you can set a memory threshold individually for both trial rules and non-trial rules. New rules default to a 100 MB memory threshold. Rules that existed before version 11.5 do not have a default value and a memory threshold is not set. You should configure a memory threshold for rules that use memory, such as a rule that contains windows or pattern matching. If the configured memory threshold is exceeded, the rule gets disabled individually and an error is displayed for that rule on the (Configure) > ESA Rules > Services tab.
- Go to (Configure) > ESA Rules >Rules tab.
- In the Rule Library, select the rule you want to configure and click .
The rule details are displayed. - In the Memory Threshold field, add the maximum memory usage allowed for this rule in MB. 100 MB is the default for new rules.
- Click Save.
- When you are finished changing the memory thresholds for individual rules in an ESA rule deployment, redeploy the deployment.
For more information, see the Alerting with ESA Correlation Rules User Guide.