Have tried this in lab and worked well.
However, integrating it in production (200+ RA users), hence, more users and log data causes the cpu to max out and ultimately to SmartLog/SmartEvent to fail.
Only recovering it with a evstop ; evstart, or waiting many hours.
This might probably be the reason: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
Do you know of any successful use cases in production environments?
In which case i may raise a SR to tac to see if there is something else going on with my Management.