What is ArcSight EPS and how is it measured?
If you have received an OpenText audit notice that mentions ArcSight, the first term you need to understand is events per second. EPS is the rate at which your ArcSight platform ingests events, and it is the metric that decides the size of most ArcSight findings. This is a plain explanation of what EPS is, how it is measured, and where the measurement goes wrong.
What events per second means
An event is a single record that ArcSight ingests, typically a log line from a firewall, a server, an application, or another security source. Events per second is simply how many of those records arrive and are processed each second. ArcSight Enterprise Security Manager and ArcSight Logger are commonly licensed against an entitled EPS figure, and the audit compares that entitlement to the rate the platform actually runs at.
EPS matters because it is a proxy for the size of the deployment. A larger estate with more log sources generates more events, so EPS rises with scale. The license is, in effect, a cap on how much the platform may ingest, and the audit exists to test whether you have stayed under the cap.
How OpenText measures EPS
OpenText runs a global software compliance team with executive sponsorship. When ArcSight is in scope, the compliance team prepares an entitlement and support review and then measures throughput, usually through a script or through the platform's own ingestion statistics. The measurement samples the ingestion rate over a period and produces a figure that anchors the finding. The agreement also gives OpenText seven days notice before an audit and the right to copy relevant records, which is why the EPS data is accessible to the measurement in the first place.
The critical detail is what the measurement reports. EPS is not one number. It varies second by second, rising during scans, backups, and incidents, and settling during quiet periods. The measurement can report an average, a sustained rate, or a peak, and these can differ by a wide margin. Which one the report uses determines whether the finding is fair or inflated.
A platform sized for 40,000 sustained EPS may peak near 90,000 EPS for a few seconds during a nightly scan. Reporting the peak as the consumption figure prices a gap the deployment never sustained.
Where the EPS measurement goes wrong
The most common error is measuring the peak and pricing it as if it were the operating rate. A momentary spike is something every well designed SIEM absorbs through buffering. Treating that spike as licensable consumption ignores how the technology works. A second error is counting events more than once as they pass through collectors, connectors, and the event broker, which inflates the rate. A third is folding non production traffic into the figure, so lab and test events are priced as production load.
Why the EPS number drives the whole finding
When EPS exceeds entitlement, the remedy is the deemed acquisition of additional licenses at then current list price, plus back maintenance and support, plus the cost OpenText incurs performing the audit. One overstated EPS figure therefore becomes three stacked charges. That is why the EPS measurement is worth contesting carefully: a correction to the rate flows through the entire finding.
What to do with an EPS number you do not recognize
If an audit shows an EPS figure higher than the rate your platform was sized for, do not concede it. Treat it as a peak until the vendor identifies the measurement basis, preserve your own ingestion statistics, and route every request through a single controlled channel during the seven day notice window. The detailed mechanics of separating a peak from a sustained rate, and the question of whether a peak can be priced at all, are covered in the related notes below. Reading the complete OpenText audit defense playbook for 2026 alongside them will put the EPS argument in the context of the wider audit.
How EPS relates to the other ArcSight metrics
EPS does not stand alone. A full ArcSight estate can be metered on several dimensions at once, and an audit often touches more than one. Data volume, usually expressed in gigabytes per day, can apply to Logger and to certain ingestion tiers, and it is sensitive to the same double counting that affects EPS. Connector counts can carry their own dimension or interact with throughput. Where identity based products sit alongside ArcSight, named user definitions come into play as well. Understanding EPS first matters because it is the metric most likely to anchor the largest single line of the finding, but a complete defense reconciles every metric in scope, because a correction on one line frequently exposes an error on another.
The practical consequence is that an EPS dispute is rarely resolved in isolation. When we reconstruct throughput to challenge a peak, we are also building the pipeline map that lets us test the volume figure and the connector count. The same evidence serves several arguments, which is why a disciplined reconstruction early in the engagement pays off across the whole finding.
Common misunderstandings about EPS
Two misunderstandings cause buyers to concede more than they should. The first is the belief that a high EPS reading is automatically an overage. It is not, until the reading is confirmed against the contractual unit and confirmed to reflect sustained operation rather than a transient. The second is the belief that because OpenText has the right to copy records and measure throughput, the resulting number is final. The right to measure is not the right to define the metric in whatever way produces the largest figure. The measurement is a starting position, and the unit, the window, and the causes of any spikes are all open to challenge. Buyers who understand those two points enter the conversation in a far stronger posture than buyers who treat the audit report as settled fact.
Have an ArcSight finding on the table?
Understanding EPS is the first step. Correcting how it was measured is where the finding comes down. We reconstruct the effective license position before any vendor script runs, then challenge the finding line by line. To put a defense team between you and the vendor, open a case or download the ArcSight EPS defense briefing.
Get The Number Down →Related field notes
These notes from the ArcSight and Security audit defense cluster go deeper on the mechanics referenced above, and each links back to the complete OpenText audit defense playbook for 2026.
- ArcSight EPS burst versus sustained measurement
- whether OpenText can measure peak EPS against your license
- how much an ArcSight EPS finding usually costs
- how OpenText measures ArcSight in a self assessment
- ArcSight GB per day versus EPS metric models
If you have received an OpenText or Micro Focus audit notice, the first seven days shape every week that follows. OpenText Audit Defense is an independent, buyer side practice founded in 2020 by former vendor compliance leadership. We have defended more than 200 audits, cut the average finding by 68 percent, and mitigated more than $90M in claims against vendor positions. We do not resell OpenText software and we are not affiliated with OpenText Corporation. To open a case, use the contact form on this site.