Risto, Anyone,
I was considering counting various string matches using SEC across
numerous (over potentially 20) logs simultaneously. There should be few
string matches, but when combined at peak times there could be perhaps
several thousand extraneous lines to parse per second. SEC may be able
to handle it but I recall you noting another utility "logpp". I
reviewed its man page and it seems to be a good fit to more efficiently
trim the logs before evaluating them with SEC.
>From the logpp output I need to know its input source. I haven't tried
it but I'm thinking there is no glob-like loading of a dynamic list of
log files via logpp config like this:
input app-log-input {
file /app/log/*.log
}
So I'm thinking I could build the input part of my logpp config file
dynamically (before logpp startup) and then load it with each file
explicitly specified like this:
input app-logs-input {
file /app/log/A.log
file /app/log/B.log
and so on...
}
My filter's template could then prefix each log line with the filename
like this:
filter app-logs-filter {
regexp something X
regexp another thing Y
template filename $~: $0
}
Where $~ is the filename and $0 is the log's line of text.
I could then use SEC to extract the filename from each line and setup my
counts and such using it.
Any other solution you'd recommend?
Another logpp question (with a similar need for SEC to determine the
input sources):
Any preferred/simple way to setup logpp to read multiple ssh inputs?
For example, could I configure input from "ssh m...@serverx tail -f
/app/log/X.log" and "ssh m...@servery tail -f /app/log/X.log" to be read
by logpp? Actually I have potentially 12 separate hosts with ssh inputs
I'd like to gather into a single event stream to feed SEC such that SEC
can also extract the input source (hostname in this case). This is not
a high volume scenario. Just curious if logpp could easily consolidate
distributed logs that could be monitored from a central location.
Regards,
Rock
*****
The information transmitted is intended only for the person or entity to which
it is addressed and may contain confidential, proprietary, and/or privileged
material. Any review, retransmission, dissemination or other use of, or taking
of any action in reliance upon this information by persons or entities other
than the intended recipient is prohibited. If you received this in error,
please contact the sender and delete the material from all computers. GA625
------------------------------------------------------------------------------
Stay on top of everything new and different, both inside and
around Java (TM) technology - register by April 22, and save
$200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
300 plus technical and hands-on sessions. Register today.
Use priority code J9JMT32. http://p.sf.net/sfu/p
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
