ArcSight Recon and search license questions
ArcSight Recon and the search tier raise licensing questions that a finding rarely answers cleanly. ArcSight Recon and search license questions usually come down to which metric governs your tier, how stored data volume is counted, and whether search capacity is being conflated with the EPS that governs collection.
Recon is the search and investigation layer that sits alongside the core ArcSight platform. It changes how data is stored and queried, and that change matters at audit time because the metric that governs Recon is not always the same metric that governs event collection. When a finding treats the two as one, or applies an EPS figure to a component that is actually licensed on stored volume, the number drifts away from licensed use.
Which metric actually governs Recon
The first question to settle is the unit. Collection in ArcSight is commonly governed by events per second, while a search and retention layer is more often governed by stored data volume or an ingestion measure over time. These are different dimensions, and a finding that imports a peak EPS figure into the search tier is measuring the wrong thing. Before conceding any Recon number, establish from the entitlement and the Additional License Authorizations which metric your specific edition was sold under, because the answer determines what evidence rebuts the claim.
If collection is licensed on EPS and search is licensed on stored volume, a finding that applies one metric to both components is not measuring consumption. It is double counting the same data under two dimensions.
How stored volume inflates a search finding
Stored data volume is easy to overstate. Retained data includes copies, indexes, and historical partitions that do not all represent distinct licensed consumption. A measurement that sums everything on disk, including data held only for retention and not for active search, can produce a figure well above the working volume the tier was sized for. The defense is to separate active searchable volume from retained archive and to hold the finding to the dimension the agreement actually defines.
Where search capacity gets conflated with collection
The most common error we see is collection and search being measured as if they were the same workload. A burst in events per second at the collection layer says nothing about search capacity, and a large retained store says nothing about real time ingestion. When a finding blends these, the corrective is to pull them apart and reconcile each component against its own entitlement line. The work mirrors the broader discipline of holding ArcSight to the metric it was sold under rather than the metric that produces the largest number.
Reconstruct before you concede
As with every ArcSight line, the strongest position is an independent reconstruction built before any vendor measurement script runs. For Recon and search, that means documenting the licensed edition, the governing metric, the active searchable volume against the retained archive, and the relationship between the search tier and the collection layer. With that in hand, a finding that overstates stored volume or imports the wrong metric can be challenged on its own terms rather than negotiated down from an inflated baseline.
A recent engagement
In a recent engagement the search and retention component of an ArcSight finding had been priced as though every byte on disk were active, licensed search volume. Separating retained archive from working volume, and confirming the tier was governed by stored data rather than by the EPS used at collection, removed the largest single line from the finding before negotiation began. The same pattern that reduced the banking matter in case file E-03, where a $6.0M position settled at $1.8M, applies here: measure each component under its own metric and the inflation has nowhere to hide.
The questions to settle early
- What edition and metric. Confirm from the entitlement and the ALAs which Recon edition you hold and the dimension it is licensed on.
- Active versus retained. Separate searchable working volume from archive held only for retention.
- Collection versus search. Keep EPS at the collection layer distinct from any volume metric on the search tier.
- Non production exclusion. Remove lab and test search instances where the agreement scopes the metric to production use.
Answer those four early and the Recon line stops being a mystery number on a vendor report and becomes a defensible figure tied to your own data.
How Recon changes the data picture at audit time
Recon was designed to make large volumes of security data searchable and economical to retain, and that design has a direct effect on how a finding reads. Because Recon encourages longer retention, the volume on disk grows, and a measurement that equates volume on disk with licensed consumption will see that growth as exposure. But longer retention is the product working as intended, not a sign of overuse. The defensive point is that retention and consumption are different ideas. A tier governed by a stored volume metric still has to be read against the definition of what that metric counts, and if the definition is active searchable data, then archive retained for compliance reasons may sit outside it. Establishing that boundary early stops a retention feature from being recharacterised as a licensing breach.
Reconcile search against the broader entitlement
A Recon or search finding rarely stands alone. It usually arrives bundled with collection and storage lines, and the bundle is where double counting creeps in, because the same data can be touched by collection, held in storage, and queried by search. Reconciling the search line against the broader entitlement means making sure each component is charged once, under its own metric, and that the relationships the agreement defines between components are respected. Where ESM, Logger, and Recon are licensed under distinct models, the reconciliation has to map each to its own dimension rather than letting one large number stand in for the whole platform. That mapping is the difference between a defensible position and an open ended capacity argument.
Unsure which metric governs your ArcSight Recon tier?
We confirm the governing metric, separate active volume from archive, and reprice the search line against your real entitlement. To get a defense team on the file, open a case or download the ArcSight EPS defense briefing.
Get The Number Down →Related field notes
These notes from the ArcSight and Security audit defense cluster cover the metrics behind a search finding. Each links back to the complete OpenText audit defense playbook for 2026.
- how ArcSight data volume metrics inflate a finding
- ArcSight GB per day versus EPS metric models
- what is ArcSight EPS and how is it measured
- ArcSight ESM versus Logger licensing compared
- reconciling ArcSight entitlements before an audit
If you have received an OpenText or Micro Focus audit notice, the first seven days shape every week that follows. OpenText Audit Defense is an independent, buyer side practice founded in 2020 by former vendor compliance leadership. We have defended more than 200 audits, cut the average finding by 68 percent, and mitigated more than $90M in claims against vendor positions. We do not resell OpenText software and we are not affiliated with OpenText Corporation. To open a case, use the contact form on this site.