Hi,
We have Apache logs in a variety of indexes from a variety of hosts which represent a variety of different environments. Up until now, we'd been creating and maintaining tags which matched DNS CNAMEs for each Apache host which gave some sort of "coded" information about what environment that was in. As this list grows and shrinks and morphs it's proving a little painful to keep that up to date and keep objects that users can properly reference. I've also heard that tags don't scale all that well so I kind of wanted to get out of the tagging game at least for this purpose.
Ultimately what I'd like to be able to hand users is a way to say something like
eventtype="apache_access_test"
to capture all access log events from Apache servers in the test environment. In our case, such a search would really translate into something like
(index=bar OR index=blaz OR index=biz OR index=foo)(host=C OR host=D OR host=G OR host=H OR host=Y OR host=Z...)
where the indexes represent the locations that various applications have their access logs stored in and the hosts listed represent hosts that are members of that environment type. Maintaining a long list of OR'd hosts is a bit of a pain so I thought I'd be clever and create a little lookup table so that that didn't have to be a list but a lookup. Unfortunately, it appears that eventtypes can't contain pipes so there goes that idea.
That brings me to the idea of creating macros. Macros seem to me to be less intuitive for users than something like an eventtype label might be. I'm also not really sure how they might be performance-wise.
And then this all brings me back full-circle to wondering if I should be doing a combination of tagging here and the eventtype. That is, tag to label hosts as "apache_test" and "apache_prod" so that my eventtype specification is a list of indexes and a single tag="apache_test" entry.
Anyway, I'm looking for advice on my situation. Hopefully someone has done this type of thing before.
Thanks!
if the indexes and hosts lists must be managed by final users and not by developers, for me, the best way is to create two lookups and insert them in a macro.
Instead if your lists are managed by developers or skilled users, maybe it could be simpler but you could create two level tags:
in this way you could manage your indexes and hosts list in only one point.
Bye.
Giuseppe
I agree: tags.
I've been looking for the same solution. Thanks for this advice.
Here is my equivalent example. I get 0 results back when I run: tag=cutover from search box. Where am I going wrong?
(Also, I literally placed the string "index=main OR index=astra OR index=service OR index=os" into 1 tag entry box. Is that ok?)
astra_cutover
tag=astra_cutover_hosts, tag=astra_cutover_indexes, tag=astra_cutover_sourcetypes
astra_cutover_hosts
host=mdc1vr1211 OR host=mdc1vr1212 OR host=mdc1vrs30b92a OR host=mdc1vrs30b92b
astra_cutover_indexes
index=main OR index=astra OR index=service OR index=os
astra_cutover_sourcetypes
sourcetype=Prod_Astra_COM_UI OR sourcetype=teamsite_
I get 0 results. Any help?