That makes sense. I could definitely use splunk for something like
that. Thanks for the ideas.
On Sat, Apr 18, 2009 at 9:16 AM, Kon Wilms <konfoo@gmail.com> wrote:
> On Sat, Apr 18, 2009 at 2:22 AM, Gabriel Ramuglia <gabe@vtunnel.com> wrote:
>> If I have to do a lot of processing to reduce my log volume, and then
>> go back to the raw logs in case I actually needed the data, is there
>> really a lot of benefit to using splunk in the first place?
>
> Depends on who your splunk users are and how important the extraneous
> data is. If it is tech support staff then it is still invaluable at
> being able to give them a mid/high level overview of any outages or
> problems with customer accounts (since they may not be able to fix the
> underlying problem anyway). If you have hundreds of accounts and
> servers offering multiple services, it is a big help. And many times
> there is no need to log all the data on the system, e.g. with a lot of
> rsync jobs you really don't need the rsync logging output -- only if
> the job was successful. Similarly with sync jobs that run every 5
> minutes, I don't log success; only failure. The list goes on..
>
> Cheers
> Kon
>
>