Enforce GUI displays System Event Code 1818: Incident is oversized, has been persisted with a limited number of components and/or violations.
Example - System Overview
Warning 4/15/15 2:28 AM Enforce Server 127.0.0.1 1818 Incident is oversized, has been persisted with a limited number of components and/or violations
Example - Server Event Details
Type: Warning Time: Apr 15, 2015 2:28:37 AM
Server: Enforce Server Host: 127.0.0.1
Summary: Incident is oversized, has been persisted with a limited number of components and/or violations
Detail: Incident is oversized, has been partially persisted with messageID 40701, Incident File Name l1429063214350.idc_1429063000017.idc
Example - IncidentPersister_0.log
Apr 15, 2015 2:28:26 AM (SEVERE) Thread: 1630 [com.vontu.incidenthandler.message.persist.convert.v12.MessageComponentProcessor.createComponentsAndIncidents] Violations beyond 500 have been discarded for incident ID: 1166 per max.violation.per.message property value
Apr 15, 2015 2:28:37 AM (SEVERE) Thread: 1630 [com.vontu.incidenthandler.message.persist.IncidentPersistingThread.cleanupIncidentFile] Over
A very large incident file with a high volume of message components and/or violations (matches) was presented to Enforce. Large incident files will be persisted with only a limited numbers of violations and components into the Oracle Database; the rest of the violations and components will be discarded (not persisted in Database).
This is intended functionality and is working as designed.
The IncidentPersister in v11.x did not allow for the processing of these large incident files, resulting in the incident to be discarded entirely. In some cases, encountering large incident files in v11.x would also cause Java Virtual Machine (JVM) out-of-memory errors due to the max heap size of 1.5GB (32bit address limitation).
Introduced in DLP v11.6, there was a need to implement a more scalable IncidentPersister mechanism to gracefully handle very large incidents. This change improved system performance and allowed incidents to be persisted to the Oracle database while retaining only partial information.
The following options can be changed in IncidentPersister.properties to adjust the incident thresholds, respectively.
# max.component.per.message is the maximum number of message components in an incident.
# The default value for max.component.per.message = 1000
max.component.per.message = 1000
(Disclaimer: Changing the incident thresholds beyond the default values will require additional processing and resources which will affect performance accordingly.)