one DAY EPS CHECK

#select DATEFORMAT(devicetime,'dd-MM-yy') as 'Date', sum(eventcount)/86400 as

'Event Count' from events GROUP BY 'Date' START '2022-12-01 00:01' STOP '2022-12-01
23:59'

one hour EPS CHECK

#select DATEFORMAT(devicetime,'dd-MM-yy') as 'Date', sum(eventcount)/3600 as 'Event
Count' from events GROUP BY 'Date' START '2022-04-04 12:00' STOP '2022-04-04 13:00'

AQL Query to calculate the EPS by Event Name, Last 7 days

#SELECT QIDNAME(qid) As "Event Name", "EventID" AS "Event ID",
LOGSOURCENAME(logsourceid) AS "Log Source", LOGSOURCETYPENAME(devicetype) AS "Log
Source Type", CATEGORYNAME(category) AS Category, COUNT(*) AS "Number of Events",
SUM(eventcount)/(7*24*60*60) AS "EPS by Event Name" FROM events WHERE
LOGSOURCETYPENAME ( devicetype ) = 'Microsoft Windows Security Event Log' GROUP BY
"Event Name", "Log Source", "Log Source Type", "Event ID" ORDER BY "Number of
Events" DESC LAST 7 Days

AQL Query to calculate the EPS by Event Name, Last 1 day

#SELECT QIDNAME(qid) As "Event Name", "EventID" AS "Event ID",
LOGSOURCENAME(logsourceid) AS "Log Source", LOGSOURCETYPENAME(devicetype) AS "Log
Source Type", CATEGORYNAME(category) AS Category, COUNT(*) AS "Number of Events",
SUM(eventcount)/(24*60*60) AS "EPS by Event Name" FROM events GROUP BY "Event
Name", "Log Source", "Log Source Type", "Event ID" ORDER BY "Number of Events"
DESC LAST 1 Days

AQL Query to calculate the EPS by Event Name, Last 1 hour

#SELECT QIDNAME(qid) As "Event Name", "EventID" AS "Event ID",
LOGSOURCENAME(logsourceid) AS "Log Source", LOGSOURCETYPENAME(devicetype) AS "Log
Source Type", CATEGORYNAME(category) AS Category, COUNT(*) AS "Number of Events",
SUM(eventcount)/(60*60) AS "EPS by Event Name" FROM events GROUP BY "Event Name",
"Log Source", "Log Source Type", "Event ID" ORDER BY "Number of Events" DESC LAST
1 HOURs

AQL Query to calculate the EPS by Log source , Last 1 day

#SELECT LOGSOURCENAME(logsourceid) AS "Log Source", SUM(eventcount) AS "Number of
Events in Interval", SUM(eventcount) / 86400 AS "EPS in Interval" FROM events GROUP
BY "Log Source" ORDER BY "EPS in Interval" DESC LAST 24 HOURS
# Search : GROUP by Log Source | COLUMNS by Event Count

AQL Query to calculate the EPS by Log source , Last 7 days

# SELECT LOGSOURCENAME(logsourceid) AS "Log Source", SUM(eventcount) AS "Number of
Events in Interval", SUM(eventcount) / (7*24*60*60) AS "EPS in Interval" FROM
events GROUP BY "Log Source" ORDER BY "EPS in Interval" DESC LAST 7 DAYS

AQL Query to calculate the EPS by Log source for Any day
SELECT LOGSOURCENAME(logsourceid) AS "Log Source", SUM(eventcount) AS "Number of
Events in Interval", SUM(eventcount) / 86400 AS "EPS in Interval" FROM events GROUP
BY "Log Source" ORDER BY "EPS in Interval" DESC START '2022-11-25 00:01' STOP
'2022-11-25 23:59'

To check EPS for Event ID 5156

#SELECT QIDNAME(qid) As "Event Name" , SUM(eventcount)/(60*60) AS "EPS by Event
Name" FROM events WHERE "Event ID" = 5156

To check EPS for Log source type last 1 hour

#SELECT LOGSOURCETYPENAME(devicetype) AS "Log Source Type", COUNT(*) AS "Number
of Events", SUM(eventcount)/(60*60) AS "EPS by log source Type" FROM events GROUP
BY "Log Source Type" ORDER BY "Number of Events" DESC LAST 1 HOURS

#SELECT LOGSOURCETYPENAME(devicetype) AS "Log Source Type", COUNT(*) AS "Number of

Events", SUM(eventcount)/(86400) AS "EPS by log source Type" FROM events GROUP BY
"Log Source Type" ORDER BY "Number of Events" START '2023-07-06 00:01' STOP '2023-
07-06 23:59'

CHECK ERROR LOG SOURCES

Linux OS : ; LinuxServer @ admin-portal ; LinuxServer @ asvmkhvmdct0010
Win OS : 172.16.24.183 WEBTECH ;

Critical apps ; Security devices ; NW devices ; DBs ; Linux ; Win Servers

1k EPS: AD, EPP, core-FWs, core-switches,routers, Fortigate, WAF , LB, Xchange-OS
initial , Critical Win OS, Linux OS Scope for 750 EPS Critical: Xchange
app, EFA, DBs itself, FMC-DC

Microsoft Xchange Server : 400-500 Bluecoat : 100-200 IronPort : 100-200 Critical

apps : 200-300 FTD-STP & FMC-DC : 20

First check your License Pool Configuration.Go to Admin>System and License

Management>Display "Licenses" then click Licence Pool Management to check your EPS
Allocation.
As Qradar Documentation says "EPS license is applied and processed on a real-time
basis, twice per second, on the raw, inbound event stream.
Every half second, the system will pull off the allocated number of events, and if
there are events left in the queue, they are "Throttled", and held in the queue
(buffered) until the next half second period.
If you are over your license limit for more than 50% of the time, during each
minute, you will see notifications from QRadar that you are over your license that
many times per minute.
Data is not being dropped, but it is being throttled or buffered." In Short, "
Event Rate (Events Per Second Raw) " applies on licensing.

GRAPH:
https://www.ibm.com/support/pages/qradar-event-rate-eps-graph-may-not-reflect-
entire-event-load-system

** Events per Second Raw - Average 1 Min