Re: Prism continued

[Jonathan Lassoff <jof () thejof com>]

Logstash and Splunk are both wonderful, in my experience.

What sets them apart from just a plain grep(1) is that they build an
index that points keywords to to logging events (lines).

What if you're looking for events related to a specific interface or LSP?
Not a problem with a modest log volume, as grep can tear through text
nearly as quickly as your disk can pass it up.
However, once you have a ton of historical logs, or just a large
volume, grep becomes way to slow as you have to retrieve tons of
unrelated log messages to check if they're what you're looking for.

Having an index gives you a way to search for that interface or LSP
name, and get a listing of all the locations that contain log events
matching what you're looking for.


In the PRISM context, I highly doubt their using Splunk for any kind
of analysis beyond systems and network management. It's not good at
indexing non-texty-things.
What if you need to search for events that were geographically
proximate to one another? That takes a special kind of index.

On Wed, Jun 12, 2013 at 6:13 PM, Chip Marshall <chip () 2bithacker net> wrote:
> On 2013-06-12, Phil Fagan <philfagan () gmail com> sent:
> > Speaking of Splunk; is that really the tool of choice?
>
> I've been hearing a lot of good things about logstash these days
> too, if you prefer the open source route.
>
> http://logstash.net/
>
> --
> Chip Marshall <chip () 2bithacker net>
> http://2bithacker.net/