Hi,
could you give us a bit more details? We’re also looking into some cases where datasets might have an impact on performance like that due to locks.
What version?
How does the suricata.yaml look like?
What type of datasets are you using exactly?
Do you have the option to do some tests?
One simple test would be to just run 1 dataset and observe it and afterwards add a second one in a new run. I’ve seen scenarios where the performance hit was already seen with 2 datasets.
Could you also run perf top -p $(pidof suricata) and share the output in those cases?