I am trying to settle on a method for grouping hosts into hostgroups for easy searching and reporting. I have heard enough warnings of tags not scaling well. We have about 1000-2000 host sources.
I don't know which of these practices cause tagging scalability problems:
I HAVE seen eventtypes and tag::eventtypes slow down a search monstrously (windows apps).
So i am trying to work through cases using lookuptables. it looks like this:
[| inputlookup hostgroups.csv | search group=pci-windows | fields + host]
I think i've run into two limitations with inputlookup to csv for hostgroups at search time.
Am i doing it right? Perhaps i should be returning all events and doing a 'where' clause of some sort with a lookup table?
Thank you, Answers!
Here are the scaling problems you might find with tags. They may or may not be important:
Eventtypes are a completely different issue from tags or lookups, and having a large number of complex searches can slow down the system overall, since basically every single event returned must be checked against every single event type search.
But, you're not using lookups quite the right way. If I were using lookups to tag hosts, I would configure an automatic lookup, say
LOOKUP-1 = hosttogroup host OUTPUT group
This would reference a table like:
host,group
myserver,dev
myserver,app
myserver,j2ee
myserver2,prod
myserver2,db
myserver3,dev
myserver4,test
myserver4,db
...
Then you would simply search using group="dev"
. This wouldn't require a macro at all, or the use of the inputlookup
command.
Here are the scaling problems you might find with tags. They may or may not be important:
Eventtypes are a completely different issue from tags or lookups, and having a large number of complex searches can slow down the system overall, since basically every single event returned must be checked against every single event type search.
But, you're not using lookups quite the right way. If I were using lookups to tag hosts, I would configure an automatic lookup, say
LOOKUP-1 = hosttogroup host OUTPUT group
This would reference a table like:
host,group
myserver,dev
myserver,app
myserver,j2ee
myserver2,prod
myserver2,db
myserver3,dev
myserver4,test
myserver4,db
...
Then you would simply search using group="dev"
. This wouldn't require a macro at all, or the use of the inputlookup
command.
Fricken rock. Thank you. I will test with this.
what would the csv lookup up for this look like. Can you paste 2-3 lines including the header?