View Memory Metrics for Rules

This topic tells ESA rule writers how to view memory metrics for an ESA Correlation service and its associated ESA rules. You can see estimated memory usage for each rule running on a server, and you can use this information to modify your rule statements and conditions if they use too much memory.

Rules can sometimes consume more memory than you expect, causing ESA to slow down or stop. To see approximately how much memory a rule is using, you can view estimated memory usage for each rule in the Health & Wellness System Stats browser (you need permissions to access this module). You can use this information to modify your rules to be more efficient.

At a high level, you need to complete the following steps to use memory metrics to troubleshoot memory usage for rules:

  1. Ensure you have the correct permissions to view the Health & Wellness module. For information on roles and permissions, see ESA Permissions.
  2. View the memory statistics in Health & Wellness.
  3. (Recommended) Configure Health & Wellness ESA policies to send an email if memory thresholds are exceeded. See "Manage Policies" in the System Maintenance Guide for instructions on sending email notifications.
  4. Use the memory metrics data to modify rules to be more efficient, if necessary.

Note: You can also view memory metrics for ESA rules in the netwitness_configureicon_24x21.png (Configure) > ESA Rules > Services tab. See View Stats for an ESA Service.

Prerequisites

The following are requirements for using memory metrics:

  • You must have the appropriate permissions to view Health & Wellness statistics.
  • (Recommended) Configure the ESA Health & Wellness policy to send an email when memory thresholds are exceeded.

Note: Memory Metrics is always on for the ESA Correlation service; you do not have to enable it.

View Health Statistics and Trends for ESA Correlation in New Health & Wellness

In NetWitness version 11.5 and later, New Health & Wellness provides improved and intuitive dashboards, monitors, and visualizations. The ESA Correlation Overview dashboard provides health statistics and trends on ESA rule deployments.

netwitness_newhw_esacorr.png

For more information, see "Monitor New Health and Wellness" and "Appendix A: New Health and Wellness Dashboards / ESA Correlation Overview Dashboard" in the System Maintenance Guide.

View Memory Metrics for an ESA Correlation Service in Health & Wellness

  1. Go to netwitness_adminicon_25x22.png (Admin) > Health & Wellness > Monitoring tab.
    netwitness_121_hwmonitor_1122_2170x1228.png
  2. Locate your host and click the link in the Name field for your ESA Correlation service, for example, ESA- ESA Correlation.
    netwitness_11.4_hw_esacorrselected.png
  3. On the tab for your ESA host, click the Health Stats tab.
    You can view the health status of the ESA Correlation service.
    netwitness_121_esa_hw_healthstatstab_1122_750x352.png
  4. Click the JVM tab.
    You can view the JVM total memory used by the selected ESA Correlation service.
    netwitness_121_esa_hw_jvm_tab_1122_750x352.png

Note: You can also view memory metrics for the ESA Correlation service in the netwitness_configureicon_24x21.png (Configure) > ESA Rules > Services tab. See View Stats for an ESA Service.

View Memory Metrics for an ESA Correlation Service and its ESA Rules

  1. Go to netwitness_adminicon_25x22.png (Admin) > Health & Wellness > System Stats Browser.
  2. To view memory metrics for an ESA Correlation service, in the Host field, select your ESA host. Select Correlation Server for Component, enter ProcessInfo for Category, and then click Apply.

    Host Component

    Category

    <your host> Correlation Server ProcessInfo

    netwitness_121_hw-mem_metrics_1122_699x238.png

    The Memory Utilization statistic shows the total memory in use by the ESA Correlation service.

  3. To view the historical memory usage for the ESA Correlation service, click the Historical Graph icon.
    netwitness_corrsrvhistmemgraph_699x238.png
  4. To view the memory metrics for individual rules, in the Category field, enter Correlation Engine Metrics and click Apply.
    Host Component

    Category

    <your host>Correlation ServerCorrelation Engine Metrics

    netwitness_rulemetrics_1836x836.png
    The name of the rule is in the Statistic column appended with MemoryUsage and the memory usage in bytes is in the Value column.

    Note: The Last Update field reflects when Health & Wellness polls ESA. However, the Memory Metrics is not synchronized with the Health & Wellness polling. For example, if the memory threshold is exceeded on 2/10/19 at 12 p.m., but Health & Wellness polls at 2/10/19 at 12:10 p.m., the Last Update field will display a timestamp of 2/10/19 12:10 p.m.

  5. Click netwitness_histgraph.png to view a historical view of memory usage for the rule in the Historical Graph column.
    netwitness_11.3_rulehistgraph.png

Note: You can also view memory metrics for ESA rules in the netwitness_configureicon_24x21.png (Configure) > ESA Rules > Services tab. See View Stats for an ESA Service.