Alex,
Here is the path data follows on a Network Monitor from induction to database:
PacketCapture > /drop_pcap folder > FileReader > /incidents folder > Incident Writer > Enforce (Monitor Controller) > /incidents folder > Incident Persister > Oracle database
With that in mind you can fairly quickly check the common 'choke' points for data and know what's not performing as expected based on where you find queued data.
On the Detection Server
Packet Capture
This is responsible for ingesting raw packets and re-assembling them into TCP streams. Because it's only getting a copy of traffic from a SPAN/TAP port, it can't re-request any missed packets. If it misses a single packet the whole stream must be discarded. This can happen if the source traffic is missing information, if the SPAN/TAP are overloaded (and not able to send all traffic to DLP) or if there is too much traffic for PacketCapture. In the Enforce console, go to System > Traffic and check for Discarded Packets to see if there are streams that PacketCapture can't reassemble.
/drop_pcap folder
Successfully captured TCP streams are written as .vpcap files to the Network Monitor. By default this folder is located at /var/SymantecDLP/drop_pcap (C:\drop_pcap on Windows). It's OK to have a number of directories here at any given time, but if you have files queued here - especially if the number of files is growing - it indicates that either FileReader is down (check System > Overview > [server name]) or not able to keep up with the volume of traffic captured by PacketCapture.
FileReader
The scanning engine for the detection server. If it's not able to keep up with data captured by PacketCapture, you'll need to consider adding additional servers and dividing the traffic. If you want more information about how to do that, please let me know.
/incidents folder
If FileReader finds a message that violates a policy it writes an .idc file to /var/SymantecDLP/incidents (<DLP root>/Protect/incidents on Windows). From here it should be passed to Enforce. If an .idc file is unable to process repeatedly, it is renamed to .bad. Renaming a .bad file back to .idc will cause it to attempt to re-process (in the event of a processing blockage being cleared).
Incident Writer
This process takes files from the /incidents folder and passes them up to Enforce. There's rarely issues here unless there is no connection to Enforce.
On Enforce
MonitorController
Manages all connections to detection servers and is the process that recieves .idc files sent by IncidentWriter on the detection servers. All incidents are written to the /incidents/ folder on Enforce (same default locations as above).
IncidentPersister
Picks up .idc files from the /incidents/ folder and inserts them into the database. It is also responsible for executing Response Rules on Enforce (things like Send an Email and Send to Syslog). If .idc files are queuing on Enforce it could be due to Enforce not having a connection to the database (in which case try restarting Vontu Manager service and checking the Tomcat logs for database connection errors).
Oracle database
Beyond the Oracle server being down, the next most common reason this would be a bottleneck is if one of the tablespaces fills up. Check for errors in System > Overview > Enforce about tablespace being full and then add/extend datafiles to the tablespace listed in the error. The KB details this process well.
I hope that helps give you a better understanding of your DLP system as a whole and also a series of checkpoints to see how well it's handling load.
If you have any questions, please let me know. If this answers your question, please mark it as a solution!
Thanks!