I am trying to settle on a method for grouping hosts into hostgroups for easy searching and reporting. I have heard enough warnings of tags not scaling well. We have about 1000-2000 host sources.
I don't know which of these practices cause tagging scalability problems:
I HAVE seen eventtypes and tag::eventtypes slow down a search monstrously (windows apps).
So i am trying to work through cases using lookuptables. it looks like this:
[| inputlookup hostgroups.csv | search group=pci-windows | fields + host]
I think i've run into two limitations with inputlookup to csv for hostgroups at search time.
Am i doing it right? Perhaps i should be returning all events and doing a 'where' clause of some sort with a lookup table?
Thank you, Answers!
Here are the scaling problems you might find with tags. They may or may not be important:
Eventtypes are a completely different issue from tags or lookups, and having a large number of complex searches can slow down the system overall, since basically every single event returned must be checked against every single event type search.
But, you're not using lookups quite the right way. If I were using lookups to tag hosts, I would configure an automatic lookup, say
LOOKUP-1 = hosttogroup host OUTPUT group
This would reference a table like:
host,group myserver,dev myserver,app myserver,j2ee myserver2,prod myserver2,db myserver3,dev myserver4,test myserver4,db ...
Then you would simply search using
group="dev". This wouldn't require a macro at all, or the use of the