We are evaluating if ELK is the right tool for our logs and event messages.
We need a way to mark warnings as "done". All warnings of this type should
be invisible in the future.
Use case:
There was a bug in our code and the dev team has created a fix. Continuous
Integration is running,
and soon the bug in the production system will be gone.
We need a way to mark the warnings as "this type of warning is already
handled, and the
fix will be in the production system during the next three hours".
Can you understand what I want?
How to handle this with ELK?
Just removing these logs from ElasticSearch is not a solution, since during
the next hours (after
setting the flag "done") new events can still come into the system.
Couldn't you update the document with a flag on a field?
On 8 April 2015 at 09:43, Thomas Güttler hv@tbz-pariv.de wrote:
We are evaluating if ELK is the right tool for our logs and event messages.
We need a way to mark warnings as "done". All warnings of this type should
be invisible in the future.
Use case:
There was a bug in our code and the dev team has created a fix. Continuous
Integration is running,
and soon the bug in the production system will be gone.
We need a way to mark the warnings as "this type of warning is already
handled, and the
fix will be in the production system during the next three hours".
Can you understand what I want?
How to handle this with ELK?
Just removing these logs from Elasticsearch is not a solution, since
during the next hours (after
setting the flag "done") new events can still come into the system.
I know how to use a programming language and I could do start a own project.
But I would like to avoid it, since it leads to "plubming". I guess other
people have same use case,
and I would like to use (and improve) an existing project.
But I have not found any up to now.
How do other ELK users solve my use case?
I guess I am missing something.
Regards,
Thomas Güttler
Am Mittwoch, 8. April 2015 11:02:35 UTC+2 schrieb James Green:
Couldn't you update the document with a flag on a field?
On 8 April 2015 at 09:43, Thomas Güttler <h...@tbz-pariv.de <javascript:>>
wrote:
We are evaluating if ELK is the right tool for our logs and event
messages.
We need a way to mark warnings as "done". All warnings of this type
should be invisible in the future.
Use case:
There was a bug in our code and the dev team has created a fix.
Continuous Integration is running,
and soon the bug in the production system will be gone.
We need a way to mark the warnings as "this type of warning is already
handled, and the
fix will be in the production system during the next three hours".
Can you understand what I want?
How to handle this with ELK?
Just removing these logs from Elasticsearch is not a solution, since
during the next hours (after
setting the flag "done") new events can still come into the system.
Just update your query to include a NOT, or similar.
On 9 April 2015 at 16:22, Thomas Güttler hv@tbz-pariv.de wrote:
I know how to use a programming language and I could do start a own
project.
But I would like to avoid it, since it leads to "plubming". I guess other
people have same use case,
and I would like to use (and improve) an existing project.
But I have not found any up to now.
How do other ELK users solve my use case?
I guess I am missing something.
Regards,
Thomas Güttler
Am Mittwoch, 8. April 2015 11:02:35 UTC+2 schrieb James Green:
Couldn't you update the document with a flag on a field?
We are evaluating if ELK is the right tool for our logs and event
messages.
We need a way to mark warnings as "done". All warnings of this type
should be invisible in the future.
Use case:
There was a bug in our code and the dev team has created a fix.
Continuous Integration is running,
and soon the bug in the production system will be gone.
We need a way to mark the warnings as "this type of warning is already
handled, and the
fix will be in the production system during the next three hours".
Can you understand what I want?
How to handle this with ELK?
Just removing these logs from Elasticsearch is not a solution, since
during the next hours (after
setting the flag "done") new events can still come into the system.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.