Logstash and Splunk are both wonderful, in my experience. What sets them apart from just a plain grep(1) is that they build an index that points keywords to to logging events (lines). What if you're looking for events related to a specific interface or LSP? Not a problem with a modest log volume, as grep can tear through text nearly as quickly as your disk can pass it up. However, once you have a ton of historical logs, or just a large volume, grep becomes way to slow as you have to retrieve tons of unrelated log messages to check if they're what you're looking for. Having an index gives you a way to search for that interface or LSP name, and get a listing of all the locations that contain log events matching what you're looking for. In the PRISM context, I highly doubt their using Splunk for any kind of analysis beyond systems and network management. It's not good at indexing non-texty-things. What if you need to search for events that were geographically proximate to one another? That takes a special kind of index. On Wed, Jun 12, 2013 at 6:13 PM, Chip Marshall <chip@2bithacker.net> wrote:
On 2013-06-12, Phil Fagan <philfagan@gmail.com> sent:
Speaking of Splunk; is that really the tool of choice?
I've been hearing a lot of good things about logstash these days too, if you prefer the open source route.
-- Chip Marshall <chip@2bithacker.net> http://2bithacker.net/