|
We're using Splunk to monitor the logs of IBM's Tivoli Storage Manager and we'd like to replace our current home-grown alerting system. We'd like to create alerts based on the TSM error code, and the idea is to have one alert per error code so that they can be managed and thresholded independently (ie. we don't want several cases of a "benign" or understood error code eclipsing the others). The problem is that there are many error codes that we'd like to alert, at current count about 300. Also, we'd like to be able to alert every other error code in case we miss something, but for this we should only get one alert. Now, we could have alerts with searches like these:
but this seems kind of hard to manage, not to mention messy. Is there a better way to do this? |
|
I think that using a lookup might be the best way. Your lookup file could look something like: With automatic lookups your search would become more like: or similar. And, of course, with the addition of severity to the mix, you could treat messages more appropriately, and likely from just a few searches. Hi Mike, Yes, something like this may be the easiest way to deal with the generic alert. I guess I could probably also generate the CSV file programatically if I can get Splunk to give me a list of configured alerts. (Is this possible?) Can you think of any solution to the first issue, ie. having to create 300 alerts in Splunk? Cheers,
(30 May '11, 08:01)
alexiri
1
Why do you need to create 300 alerts? I would imagine that the same lookup would be used to limit yourself to just a few alert searches. In other words, at least from my experience, you wouldn't treat 300 error codes in 300 different ways; you would treat them in groups as "critical" severity, etc, etc. With a lookup, the severity would be added, and so you would only need one or a few searches, IMHO.
(30 May '11, 08:07)
mw
|
