[Security Solution][Detection Engine] Investigate ways to bound memory usage of rule queries #192732
Labels
Feature:Detection Rules
Anything related to Security Solution's Detection Rules
performance
Team:Detection Engine
Security Solution Detection Engine Area
Comments
marshallmain
added
Feature:Detection Rules
|
Pinging @elastic/security-detection-engine (Team:Detection Engine) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Parent issue: https://github.com/elastic/security-team/issues/10106
Detection rules typically fetch 100 source documents at a time to transform into alerts. When these source documents are large, this puts significant memory pressure on both Elasticsearch and Kibana. If the documents are large enough, Elasticsearch and/or Kibana can run out of memory and crash. We should investigate ways that we can limit the total amount of data retrieved at one time to avoid OOM problems.
The text was updated successfully, but these errors were encountered: