This topic describes how to view an ESA Correlation service’s deployment statistics (stats). This procedure is useful when determining a rule's effectiveness or troubleshooting an ESA rule deployment.

Caution: When you modify and re-deploy an ESA rule deployment, all the stats are removed from that deployment. The generated alerts are not removed from NetWitness.

To view a Deployment Stats

  1. Go to Configure.png (CONFIGURE) > Policies > Content.

  1. Under Settings, click Event Stream Analysis > ESA Deployments.

The available deployments are displayed.

  1. Select a deployment you want to see the stats.

  2. Click on the Deployment Stats tab.


The deployment stats for the selected service are displayed.


Review the following sections of selected Deployment Stats. For a complete description of each statistic in each section, see the Deployment Stats Information.

  • Engine Stats
  • Rule Stats
  • Alert Stats

The following figure shows the Deployment Stats panel.


  1. Review the list of details about the rules deployed on the ESA.

  • If the rule is enabled or disabled
  • Rule name
  • Rule type
  • Rule trial mode
  • Last detected
  • Events matched
  • Rule memory usage
  • Deployment CPU percentage used by the rule.

    For a complete description of each column in each section, see Deployment Stats Information.

Check Health and Wellness

To monitor your ESA Correlation service's overall memory usage and health, click Health & Wellness.


To Enable or Disable Rules

  1. Select a rule from the Rule Stats panel grid.

  2. Click Enable to enable the rule or click Disable to disable the rule.


To Refresh the Statistics

The Services tab does not update statistics automatically unless you enable or disable a rule.

  1. Click the Refresh tab in the bottom right corner to refresh the information.

    The Services tab is refreshed to show the changes which take effect immediately.

  2. View the updated information.


Edit the Deployment

To edit the deployment, Click the Edit Deployment tab in the bottom right corner of the page.


Last Refresh Time

This information indicates the last time when the deployment stats page was refreshed.


Sections Parameter Description
Engine Stats Esper Version Esper version running on the ESA service
Events Offered Number of events processed by the ESA service since the last service started.
Events Rate The rate that the ESA service processes current events / The maximum rate that the ESA service processed events.
Rule Stats Rules Enabled The number of rules enabled.
Rules Disabled The number of rules disabled.
Rules Count The number of rules inside a deployment.
Total Events Matched Total number of events matched to all rules on the ESA service.
Alert Stats Notifications The total number of notifications sent by email, SNMP, syslog, or script for the deployment. (ESA SNMP notifications are not supported in NetWitness Platform version 11.3 and later.)
Alerts Created

The total number of alerts sent to Respond for the deployment.

The Rule Stats panel details:

The Rules Stats provides details on the rules that are deployed on the ESA service. The following figure shows the Rule Stats panel.


The table below lists the various parameters in the Rules Stats view and their description.

Parameters Description
DeploymentStats13_12.3.png Enables a rule that was disabled.
DeploymentStats14_12.3.png Disables a rule that was enabled.
Health & Wellness link Enables you to monitor overall memory usage and health of your ESA Correlation service.

Indicates whether the rule is enabled or disabled.
A green circle icon DeploymentStats13_12.3.png indicates that the rule is enabled.
A white circle icon DeploymentStats14_12.3.png indicates that the rule is disabled.

Note: If a rule has an error on deployment, it shows up as ‘Failed’. Hover over the Failed icon to view the error message in the tooltip.

Rule Name Name of the ESA rule.
Rule Type Endpoint indicates a rule from the Endpoint Risk Scoring Bundle and Esper indicates Esper-specific rules, such as Rule Builder and Advanced EPL rules.
Trial Rule Indicates if the rule is running in trial rule mode.
Last Detected The last time alert was triggered for the rule.
Events Matched The total number of events that matched the rule.
Memory Usage The total amount of memory used by the rule.

Note: The Endpoint Risk Scoring Rules Bundle rules do not show memory usage.


The percentage of the deployment CPU used by the rule. For example, a deployment with 1 rule shows 100% CPU usage for that rule and a deployment with two equally CPU heavy rules show 50% each.

Note: The Endpoint Risk Scoring Rules Bundle rules do not show CPU usage.

The Data Source Stats panel details:


Parameters Description
Service Name Identity of the service.
Service Type Type of the service.
SSL Data Source connected to ESA deployment over an SSL connection using SSL port (For example, for the concentrator, it is 56005).
Session Behind

Difference between the last latest session id on the concentrator and the currently processed session id on ESA.

Last Received Session ID The latest session id received by the deployment from the data source.
Buffered Sessions Number of sessions in the ESA buffer to be consumed by the Esper engine.


                                                    Previous Page                                            Next Page