Logstash and Splunk are both wonderful, in my experience. What sets them apart from just a plain grep(1) is that they build an index that points keywords to to logging events (lines).
What if you're looking for events related to a specific interface or LSP? Not a problem with a modest log volume, as grep can tear through text nearly as quickly as your disk can pass it up. However, once you have a ton of historical logs, or just a large volume, grep becomes way to slow as you have to retrieve tons of unrelated log messages to check if they're what you're looking for. Having an index gives you a way to search for that interface or LSP name, and get a listing of all the locations that contain log events matching what you're looking for. In the PRISM context, I highly doubt their using Splunk for any kind of analysis beyond systems and network management. It's not good at indexing non-texty-things. What if you need to search for events that were geographically proximate to one another? That takes a special kind of index. On Wed, Jun 12, 2013 at 6:13 PM, Chip Marshall <c...@2bithacker.net> wrote: > On 2013-06-12, Phil Fagan <philfa...@gmail.com> sent: >> Speaking of Splunk; is that really the tool of choice? > > I've been hearing a lot of good things about logstash these days > too, if you prefer the open source route. > > http://logstash.net/ > > -- > Chip Marshall <c...@2bithacker.net> > http://2bithacker.net/