Language:
switch to room list switch to menu My folders
Go to page: 1 2 3 [4]
[#] Thu Mar 19 2015 12:32:31 EDT from LoanShark @ Uncensored

[Reply] [ReplyQuoted] [Headers] [Print]


One of the most powerful things we do with Splunk is the "transaction" filter. I don't see any direct replacement with logstash... this is statically configured and seems to have limitations, but it's somewhere in the ballpark: http://logstash.net/docs/1.4.2/filters/multiline

not quite close enough, transaction is an ad-hoc query: http://docs.splunk.com/Documentation/Splunk/6.2.1/SearchReference/Transaction

[#] Thu Mar 19 2015 12:54:57 EDT from dothebart @ Uncensored

[Reply] [ReplyQuoted] [Headers] [Print]

probably one would want something like that:

http://michael.bouvy.net/blog/en/2013/11/19/collect-visualize-your-logs-logstash-elasticsearch-redis-kibana/

this is the logstash alternative:

https://www.graylog.org/overview

(the credativ guys work with it)

Another tool /me wouldn't use... but may be interesting ;-)

http://riemann.io/

 

 



[#] Thu Mar 19 2015 12:58:14 EDT from dothebart @ Uncensored

[Reply] [ReplyQuoted] [Headers] [Print]

I like very much this one:

http://metrics20.org/media/

(have a look at the crazy videos ;-)

It uses a pimped collectd as some of the data sources.



[#] Thu Mar 19 2015 14:19:39 EDT from LoanShark @ Uncensored

[Reply] [ReplyQuoted] [Headers] [Print]


OK, for one thing, I hadn't correctly understood how logstash fits together with the rest of its ecosystem. Logstash is like splunkforwarder, I guess- it's a piece of low-level plumbing.

The querying all happens in elasticsearch: http://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl-queries.html

[#] Thu Mar 19 2015 23:00:07 EDT from ax25 @ Uncensored

[Reply] [ReplyQuoted] [Headers] [Print]

Not similar at all, but I do use this for viewing / checking combined logs from systems:

Epylog - https://fedorahosted.org/epylog/

It lets you boil down combined syslogs from multiple systems, and get rolled up reports on logins, and a free-for-all report of anything that was not parsed in an email.

It takes quite a bit of time to get what they call the "weeder" to build up to rid yourself of the background noise from the reports, and it does take ocasional changes to regexes on lines to account for some daemons changed log output for warnings, etc, but I find it worthwhile.  Once you have your "don't care" lines out of the report, you will be left with the ones to either investigate and act on or just add to the don't care if they turn out to be a more of just miss-placed info output.

You can set up your own roll up reports, but I have not played with that as of yet.



[#] Mon Mar 23 2015 08:15:36 EDT from LoanShark @ Uncensored

[Reply] [ReplyQuoted] [Headers] [Print]


Not the splunk way - there are no "don't care" records, you throw everything in the big index and figure out how to query it later.

[#] Wed Apr 29 2015 11:15:28 EDT from LoanShark @ Uncensored

[Reply] [ReplyQuoted] [Headers] [Print]


Been talking to some former coworkers (now at NYTimes, ghod help them) and one of the Splunk alternatives they are looking at is Sumologic:

https://support.sumologic.com/entries/21863767-How-do-I-group-messages-based-on-a-field-I-define

(^^ one of my litmus tests for a Splunk replacement)

http://www.forbes.com/sites/petercohan/2015/02/25/will-sumo-logic-pin-splunk/

[#] Wed Apr 29 2015 12:37:52 EDT from fleeb @ Uncensored

[Reply] [ReplyQuoted] [Headers] [Print]


Hrm.

https://www.sumologic.com

When you go to this site, you may be treated to the following popup:

This page ws unable to display a Google Maps element. The provided Google API key is invalid or this site is not authorized to use it. Error Code:
InvalidKeyOrUnauthorizedURLMapError

So, they hope to supplant Splunk, but...?

[#] Fri Jun 05 2015 09:48:33 EDT from IGnatius T Foobar @ Uncensored

[Reply] [ReplyQuoted] [Headers] [Print]

Evidently their Big Data got so big it popped out of the screen.

(By the way, we ended up just buying a bigger Splunk license.)