Nagios Support Forum

Hi,

I am finally digging into the log server and I have gone through some of the documentation for Log server, but it does not seem to be too detailed for what I am looking for. I am currently looking at setting up dashboards and performing various queries of the incoming logs. I had a few questions that I hope will help me get going.

First, what is the use difference between QUERY and FILTERING? From playing around yesterday, it seemed best to leave QUERY with a * and use FILTER to define the search. Kind of similar to running nested greps, grep x | grep y, ...

Are there any docs with use case examples on creating queries/filters. The simple queries are easy, but it would be great to see what I can do with log server. The best comparable that I can think of is when using Splunk, they had an extensive guide that would help create search queries. It included the language to use along with examples.

Last, is there a good guide for creating dashboards and alerting?

Thanks,
David

First, what is the use difference between QUERY and FILTERING?

The distinction seems small at first, but grows as you get more familiar with the product.

The basic difference is that filters are used for filtering out logs you do not want to see, or filtering in logs that you do want to see.

Queries are used for searching through the remaining information.

You can apply several filters (filter by host, username, and ip address range, for example). You can use AND and OR operations between your filters.

Queries can _only_ use the OR operator, because Nagios Log Server expects that anything you query for you _want to see_ - multiple queries means multiple representations of data. For example: The two queries are displayed side-by-side on that graph, because it is assumed that anything you query is something you'd like to see (on graphs, charts, etc) - be sure to keep this in mind when designing your dashboards.

Filters are a more low-level construct for getting rid of noise.

That about described the difference between them in my mind. Let me know if you have any questions.

Are there any docs with use case examples on creating queries/filters. The simple queries are easy, but it would be great to see what I can do with log server.

While I agree that an extensive guide would be useful that directly relates to NLS, we haven't generated one - mostly because there are several great guides on the internet already. Here are some of my favorites:
https://www.elastic.co/guide/en/kibana/ ... lters.html
https://www.mjt.me.uk/posts/kibana-101/

Thanks for the explanation on queries and the links. That is a big help.

Do you have any good urls for Inputs and Filters under global confs? I did start looking around elasticsearch and saw the various plugins. I am trying to put it all together.

Thanks,
David

No problem! I have a few forum posts that explain (in annoying length!) the inputs, filters, and outputs:
http://support.nagios.com/forum/viewtop ... 37&t=32221
http://support.nagios.com/forum/viewtop ... 68#p134768
Less long:
http://support.nagios.com/forum/viewtop ... 28#p137728

Great. Thank you.

I have been playing all afternoon and its all coming together. It would be really cool to have that one doc or a book that has all the examples, configurations for pulling different logs, alerting, etc ... A lot of fun so far.

Thanks again and Happy holidays!

Happy Holidays to you as well! I agree that it'd be good to have this all in one place - that is a project that I'm working on in my spare time.

Glad you like the product - check out the email templating system if you haven't already - it's one of our latest (and most awesome) additions to the software.

May I close this thread? Thanks!

Jesse

Hi Jesse,

You can close this case. When ever you finish the doc, please send it my way.

Cheers