In a dashboard designed for a specific application, which will send data to GrayLog via Gelf TCP Input, what is the best practice regarding index/index-set, to use Graylog default indexes or to create a new one?
The practical problem I face is that I need something to select my application’s records only and not other records that may be in Graylog. In Splunk I have done this by creating a custom index for my app, and then starting each search as: index=my_index …
If you don’t want to mix another messages (fields), yes you can create own index.
Another feature you can use is streams, so specific application will be forwarded to stream. Afterthat you can grant permission to read/write to some users. Same apply to dashboards, you can grant permission only for specific users, so you create role with permissions only on specific stream and dashboard.
But if I do not create a new index (custom to my content pack), and go for the Stream only, how do I set the Stream’s Rule to identify “my” application only records?
Because in this case an application (identifier is needed) something to search for and make sure that other non-my-application records are excluded.
Do I need to add another field to my GELF TCP string message - specially for this reason?
For example, add field _application and set it “myapp” on each record. Then search:
application:myapp …
and in this case - is the Stream needed at all? I mean except for applying of the privileges - which is a very good and desired feature.
I have thought about this solution, but I hope it is not the only one.
Because I am short in space with my Oracle UTL_TCP toward grayLog TCP Input, the first is limited to 32k bytes only while the second supports no chunk ingestion.
