High CPU utilization in Security Analytics
search cancel

High CPU utilization in Security Analytics


Article ID: 232303


Updated On:


Security Analytics


The customer is observing high CPU utilization.  All cores are highly utilized.  There are no free CPUs.


CPUs can be consumed by any of several processes in the system.  This may be normal.  There are other flags to look for to determine if the system is not healthy.  If those appear, then the CPU load and the cause should be investigated. 

Here are a few reasons:

  • A CPU will be used 100% for each network interface (NIC) or capture port that is started or activated.  A CPU is dedicated to each capturing port so that no packets are lost during idle cycles.  To reduce CPU load, stop capture on each port which does not have a link or is not receiving traffic.
  • Each report run from the Analyze > Summary page requires a CPU while it is being run.  If a default page for a viewer has 30 reports, also known as widgets, then 30 CPUs will be used while the screen is loading.  To reduce the CPU load, change the number of reports on the default page.  We recommend 4-6 reports.  Then create other report pages to use for targeted incident investigations.
  • Each indicator used by a rule will require some CPU.  When an indicator is complex with regex or regular expressions or wild cards, these require extensive CPU time.  Review the rules and their indicators to reduce the wildcards used.  If you would like help with your indicators, look to your Sales Team and Solutions Engineer or call support.
  • Each time a file is extracted, it takes CPU time to pull the packets from the filesystem and assemble them into files.  When the timespan for the extraction and search is wide, there can be hundreds of thousands of files.  Try to narrow down the timespan or use other criteria to reduce the number of files extracted.


Additional Information

Anomaly Detection can also cause high CPU.  See this article for details: CPU and memory usage is high in Security Analytics