I have four server. two are web portal and two are application servers. all four servers belongs to one online service. Now for my simple understanding I want to tag them as service name so when i give below query I should see the events from all those four servers.
how can I do that
I follow the same steps.
I associate the tag=abc against below host and I can see the tag when I explore the event like below
but when I use the
I can't see anything. might some permission issue. I am login as normal user.
I like to use tags associated to eventtypes, so I create an eventtype like this
my_index=my_index sourcetype=my_sourcetype (host=hostAS1 OR host=hostAS2)
associating to it tag=applicationserver
my_index=my_index sourcetype=my_sourcetype (host=hostOS1 OR host=hostOS2)
associating to it tag=onlineservices
In this way I can use them instead searches (your search became
tag=applicationserver OR tag=onlineservices) and you can easily manage changes in architecture (e.g. inserting an additional server) modifying only eventtype instead all searches.
Have a good year.
great idea, but unfortunately for some services I have 15 to 20 servers. my next plan to tag them based on zones. and then tag them as internal resources or external.
so at the end all host have three type of tags.
1- based on application
2- based on DMZ zones
3- based on internal or external location( internal means within the network and external means coming from internet)
Ok what is the problem? you'll have more than two tags but every way you can easily manage them in only one point.
In addition think (if possible) to use the the same tag for different eventtypes: e.g. if I need to monitor login of different systems (Win, Linux, appliances, ...), I can create one eventtype for each sourcetype and use for all of them the
tag=LOGIN, in this way with only one tag I can search on different logs.