That's my understanding as well, sadly however that's not what the account manager told my boss when she was on the phone with him. We were looking for something that would hold all our log files and allow us to sort through them to track down a variety of problems. One of our biggest issues is trying to do a root cause analyst when issues occur. I often bring up STP on our network devices as an example because that was one such issue that this system should have helped me resolve. I had installed a new switch, configured it properly but never checked to make sure it wasn't going to be the root. That new switch became the root and ended up disabling the ether channel I had on another causing the now only 1GB link to overload bringing the network to its knees on several occasions. Sadly it took me almost a month to track down as it was random and by the time I got into the network to figure it out the problem was resolved. When we were originally looking for an application we had considered several different applications, Splunk being one of them. However considering the price and the idea that LEM would do exactly what we wanted we chose LEM.
I understand this could potentially crash the system if I gather too many alerts but I'm confident I can do exactly what you do, only send to LEM what I want to gather. I honestly would much rather be in control over this than hard limitations. With that said I did just get an email from support telling me that the connector is finished with instructions on how to install.
But first I need to contact Support to figure out why the VM keeps crashing. Once I get all this done I'll write up something pretty and post here for any future person having the same issue
At the end of the day those connector tools are just a big list of regex rules that parse the incoming event and decide what type of event they are and break out all the parts of the message for normalization. I've felt hackish before and exported mine out and imported back in a modified version as a new connector profile, but obviously that kind of thing is unsupported.
I wish I had a better understanding of doing just that. This program feel vastly different than the other SolarWinds products I've used.
But on a plus side I did manage to get my problem resolved and it was just about what you have done, except I didn't do it. The Dev team over at SolarWinds managed to write me up a new connector, gave me instructions on how to upload it and … with a tech support call managed to get the switches using it. I'm still confused as to how this all works but what your saying makes sense, all that connector does is filter out information. This new connector doesn't do any of that, just posts the raw data. With that said I'm guessing I've increased my events from say 10 a week per switch to around 10k, well below what my system can handle but we shall see as I start increasing what is sent. That procedure, well that's an entirely different subject
For those having the same problem, I wish I could give you a step by step on how to resolve this but it required getting the connector from SolarWinds
I was modifying an existing template as a one-off, but the syntax I was messing with was basically just regex with capture groups. Building the logic wasn't rocket science but to build one completely from scratch would be a pretty significant amount of work to create all the rules.
SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 150,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process. Learn more today by joining now.