ArcSight GB per day versus EPS metric models
Two different ArcSight products can be metered on two different units, and which unit applies decides how a finding is built. ArcSight GB per day versus EPS metric models is the comparison that determines whether the vendor prices you on how fast events arrive or on how much data you store, and conflating the two is a reliable way to inflate a number. The first job in any volume or rate dispute is to know which model governs which product.
Events per second measures throughput: the rate at which events flow into the platform. Gigabytes per day measures volume: the quantity of data ingested and retained over a day. ArcSight ESM is generally licensed on an EPS model, while ArcSight Logger is generally licensed on a daily volume model. They describe related but distinct quantities, and an audit that applies the wrong model, or both models to the same data, produces a finding larger than either metric alone would support.
What the EPS model measures and where it overreaches
The EPS model prices against a sustained event rate. Its characteristic overreach is the peak: a one second high water mark presented as if it were the sustained rate, the dispute at the heart of ArcSight EPS burst versus sustained measurement. Because the EPS model is about speed, the questions that defend it are about windows and transients: over what period was the rate measured, and what caused the spikes.
What the GB per day model measures and where it overreaches
The daily volume model prices against the quantity of data ingested per day. Its characteristic overreach is raw versus normalised counting and the inclusion of duplicate and non production data, the pattern we describe in how ArcSight data volume metrics inflate a finding. Because the volume model is about quantity, the questions that defend it are about composition: how much of the daily figure is duplicate, test, or transient data that a normalised count would remove.
A finding that applies an EPS gap to throughput and a GB per day gap to the same event stream can charge twice for one flow of data: once for the rate it arrived at and once for the volume it represented. Assigning each model to its correct product, and removing duplicates from the volume, dismantles the double charge.
Why the choice of model is the whole argument
Because EPS and GB per day describe the same events from different angles, an audit can quietly select whichever produces the larger gap, or apply both. A burst of events inflates EPS as a rate and GB per day as a volume simultaneously, so a single transient can drive two overclaims. Pinning each product to its contractual model, and refusing to let one event stream be priced against both, is the structural defense. It is the same separation we apply when comparing ArcSight ESM versus Logger licensing.
How the four operations apply to a metric model dispute
We respond by taking over the channel during the seven day notice window so no blended figure reaches the vendor unmanaged. We reconstruct the EPS profile and the daily volume profile separately from the platform's own statistics. We rebut by assigning each model to its product, removing transients from the EPS reading and duplicates from the volume reading, and refusing any double count. We resolve on figures that reflect each model honestly and convert forward with both metrics defined distinctly.
A representative pattern
In a recent engagement, a finding had applied a rate gap and a volume gap to overlapping data, charging a single scan driven spike under both models. Separating the EPS and GB per day profiles, and showing that the spike was a transient under one model and duplicate data under the other, removed the overlap before settlement. The shape echoes our anonymised banking matter, case file E-03, where a $6.0M ArcSight finding settled at $1.8M, a 70 percent reduction, after the measurement basis was corrected rather than negotiated.
The questions that decide a metric model dispute
- Which product uses which model? ESM on EPS, Logger on daily volume, unless the agreement says otherwise.
- Is the EPS sustained? A peak is not the rate the contract meters.
- Is the volume normalised? Raw daily volume includes duplicates a normalised count removes.
- Is anything charged twice? One event stream should not be priced against both models.
Why a single transient can drive two overclaims
The reason the metric model comparison matters so much is that the two models are not independent. A burst of events, a scan storm or a chatty source looping duplicates, registers simultaneously as a higher rate under the EPS model and a larger quantity under the GB per day model. If an audit applies both models to the same event stream, that one transient is charged twice, once for how fast the data arrived and once for how much of it there was. Recognising that the two readings describe the same underlying events from different angles is what lets a defense refuse the double charge.
And the double charge is expensive because the remedy stacks on each model separately. A deemed shortfall under either model is priced at list, grossed up with back maintenance, a first year of maintenance, and audit costs. Two overlapping overclaims therefore mean two stacked remedies built on one flow of data. Assigning each model to its correct product and isolating the transients at the source dismantles the overlap before it is ever priced, which is far more effective than negotiating a combined number down after the fact.
The same logic carries into resolution. When a settlement records which product is metered on EPS and which on daily volume, and refuses to let one event stream answer to both, the new agreement closes the door this finding came through. Defining the two models distinctly at conversion is how a buyer ensures a single transient can never again be charged twice.
Have a finding that mixes EPS and GB per day?
A finding that applies both metric models to the same data almost always double charges. We separate the models and assign each to its product before any vendor script runs, through our ArcSight and Security audit defense. To put a defense team between you and the vendor, open a case or download the ArcSight EPS defense briefing.
Get The Number Down →Related field notes
These notes from the ArcSight and Security cluster go deeper on the rate and volume models. Each links back to the complete OpenText audit defense playbook for 2026.
- ArcSight ESM versus Logger licensing compared
- how ArcSight data volume metrics inflate a finding
- ArcSight EPS burst versus sustained measurement
- Sentinel versus ArcSight Logger licensing context
- what ArcSight EPS is and how it is measured
If you have received an OpenText or Micro Focus audit notice, the first seven days shape every week that follows. OpenText Audit Defense is an independent, buyer side practice founded in 2020 by former vendor compliance leadership. We have defended more than 200 audits, cut the average finding by 68 percent, and mitigated more than $90M in claims against vendor positions. We do not resell OpenText software and we are not affiliated with OpenText Corporation. To open a case, use the contact form on this site.