I'm curious what the recommended max number of "Log Entries" are in one Log Analyzer Rule? How many strings are too many?
That is an interesting question ... I will have to ask the team if there is any limit or a number that is reasonable to keep it under.
I should have asked... Do you already have a rule with quite a lot of them that isn't working or is the question more theoretical in nature?
I have a rule with about 75 different strings in them, and the website freezes when trying to load it, but eventually will load everything. I also have a support case open for this but after 2 days, no one has touched it yet. One rule i need to create has about 399 entries to look for, and in creating one that needed approx 200, i broke it out in chunks of 50 when 70+ seemed unmanageable.
Can you send me the ticket number so I can check on the progress of the case?
Can you be a bit more specific about the nature of your rule? If there are 400 variations on the log message is that really all tracking back to a single type of issue or is this lots of different situations?
Lots of different situations. These are not 400 traps for just one or two issues, but just about anything that vendor's device could spit out that we want our engineers to acknowledge and take a look at. Between the 20-something vendors i have, there's just about 2,000 strings i need to look for and have in rules. Some of these are better suited for Orion's methods of alerting (for example, not relying on SNMP Traps for hardware health issues when Orion can do that) but for now i'm more worried about making rules that are too "large".
