I have a rule with about 75 different strings in them, and the website freezes when trying to load it, but eventually will load everything. I also have a support case open for this but after 2 days, no one has touched it yet. One rule i need to create has about 399 entries to look for, and in creating one that needed approx 200, i broke it out in chunks of 50 when 70+ seemed unmanageable.
Can you be a bit more specific about the nature of your rule? If there are 400 variations on the log message is that really all tracking back to a single type of issue or is this lots of different situations?
Lots of different situations. These are not 400 traps for just one or two issues, but just about anything that vendor's device could spit out that we want our engineers to acknowledge and take a look at. Between the 20-something vendors i have, there's just about 2,000 strings i need to look for and have in rules. Some of these are better suited for Orion's methods of alerting (for example, not relying on SNMP Traps for hardware health issues when Orion can do that) but for now i'm more worried about making rules that are too "large".
You might have better luck going the opposite route and creating rules to drop any events types that are not actionable, that way instead of sifting through a million events looking for useful data you only keep useful events in the db and immediately route everything else to the garbage? Log Manager is not exactly dialed in to operating as a full on a SIEM. It might be a 6 of one, half a dozen of the other kind of situation though.
I know in most sql queries having a long list of OR conditions against strings tends to be really hard on system performance, and you've already run into the limitations of the GUI itself to display the rules. I know in the regular alert builder I had some cases before where I used code to build alert conditions that had like dozens of lines of logic in them and they also were really slow to display as well.
SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 150,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process. Learn more today by joining now.