[163600] in North American Network Operators' Group
Re: Prism continued
daemon@ATHENA.MIT.EDU (Jonathan Lassoff)
Wed Jun 12 21:38:30 2013
In-Reply-To: <20130613011337.GB46731@2bithacker.net>
Date: Wed, 12 Jun 2013 18:35:35 -0700
From: Jonathan Lassoff <jof@thejof.com>
To: chip@2bithacker.net
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Logstash and Splunk are both wonderful, in my experience.
What sets them apart from just a plain grep(1) is that they build an
index that points keywords to to logging events (lines).
What if you're looking for events related to a specific interface or LSP?
Not a problem with a modest log volume, as grep can tear through text
nearly as quickly as your disk can pass it up.
However, once you have a ton of historical logs, or just a large
volume, grep becomes way to slow as you have to retrieve tons of
unrelated log messages to check if they're what you're looking for.
Having an index gives you a way to search for that interface or LSP
name, and get a listing of all the locations that contain log events
matching what you're looking for.
In the PRISM context, I highly doubt their using Splunk for any kind
of analysis beyond systems and network management. It's not good at
indexing non-texty-things.
What if you need to search for events that were geographically
proximate to one another? That takes a special kind of index.
On Wed, Jun 12, 2013 at 6:13 PM, Chip Marshall <chip@2bithacker.net> wrote:
> On 2013-06-12, Phil Fagan <philfagan@gmail.com> sent:
>> Speaking of Splunk; is that really the tool of choice?
>
> I've been hearing a lot of good things about logstash these days
> too, if you prefer the open source route.
>
> http://logstash.net/
>
> --
> Chip Marshall <chip@2bithacker.net>
> http://2bithacker.net/
