On Mon, Jan 24, 2011 at 4:25 PM, <[email protected]> wrote: > Splunk is great for doing ad-hoc searches through your logs > (investigations, troubleshooting, etc), but having it do event correlation > is really inefficient. What you do for 'event correlation' with splunk is > to define a search and run it repeatedly. if you have enough logs that > your search time is larger than what will fit in ram, this will really > hammer your I/O system (on multiple systems if you have scaled your splunk > install).
Yes, complicated searches using non-indexed data or fields at query time can drag down the web UI. Disabling segmenting and tuning the indexer to ensure its indexing the data you search on often is important. There's also some query tuning one can do to make things go faster, though, it's been a while since I used Splunk so I don't really remember what those hints are any more :) Splunk allows you to do similar (though not as complicated) things as SEC does at Splunk's indexing time via multi-line events and transactions: - http://www.splunk.com/base/Documentation/latest/Knowledge/Abouttransactions - http://www.splunk.com/base/Documentation/latest/Admin/Indexmulti-lineevents which you can then run a regular job to look for and take action accordingly Speaking of the regular reports, you can also pre-bake search results for faster report generation when you need it: - http://www.splunk.com/base/Documentation/latest/Knowledge/Usesummaryindexing That all said, for pure "get mail -> see spam -> block host" kind of event correlation, SEC is probably easier and certainly cheaper than Splunk. Splunk takes some extra out-of-the-box work to get your data rigged correctly but once that done and integrated into service and host config management, the niftyness quotient goes up much more quickly for splunk. -n -- ------------------------------------------- nathan hruby <[email protected]> metaphysically wrinkle-free ------------------------------------------- _______________________________________________ Tech mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
