How do I debug a slow performance in the cache or panther-kv-store?

Last updated
Save as PDF

QUESTION

How do I debug a slow performance in the cache or panther-kv-store? I have a detection that counts events using this cache, and only sends an alert when a certain number of events has matched this detection.

ANSWER

In general, we recommend using deduplication with a threshold to count matching events before alerting on a certain number of matches. The deduplication feature is more efficient than using the cache.

Caching delays have been correlated with detections enabled on high-volume log sources. It's recommended to only use the cache in detections for low-volume log sources, and to avoid calling the cache before it's necessary. If you're experiencing slow caching performance, please contact Panther support.