Hi Graylog community,
We’re currently using lookup tables for enhancing our log messages. However, this is compute heavy as we ingest tens of thousands of logs per minute, and we don’t actually need the lookup on every message.
We generally only inspect the logs which trigger alerts/events (using the Filter & Aggregation event)
Is it possible to implement the lookup functionality only for log messages that trigger alerts?
Any guidance on this topic would be really appreciated!
Thanks,
Swarna
Hello,
Since Lookup tables connect Data Adaptors /w Cache, this might be done by creating a data adaptor with a (CVS file).
Might have a look here if you haven’t already.
https://docs.graylog.org/en/4.1/pages/lookuptables.html
I tried this scenario out in the lab but was unable to find a reliable solution for this problem. Maybe someone else here has done this but none that I know of. To be honest, this is the first time I’ve heard of executing something like this. You could also post here for a feature Request.
Hope that helps
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.
