Hi,

We have Apache logs in a variety of indexes from a variety of hosts which represent a variety of different environments. Up until now, we'd been creating and maintaining tags which matched DNS CNAMEs for each Apache host which gave some sort of "coded" information about what environment that was in. As this list grows and shrinks and morphs it's proving a little painful to keep that up to date and keep objects that users can properly reference. I've also heard that tags don't scale all that well so I kind of wanted to get out of the tagging game at least for this purpose.

Ultimately what I'd like to be able to hand users is a way to say something like

eventtype="apache_access_test"

to capture all access log events from Apache servers in the test environment. In our case, such a search would really translate into something like

(index=bar OR index=blaz OR index=biz OR index=foo)(host=C OR host=D OR host=G OR host=H OR host=Y OR host=Z...)

where the indexes represent the locations that various applications have their access logs stored in and the hosts listed represent hosts that are members of that environment type. Maintaining a long list of OR'd hosts is a bit of a pain so I thought I'd be clever and create a little lookup table so that that didn't have to be a list but a lookup. Unfortunately, it appears that eventtypes can't contain pipes so there goes that idea.

That brings me to the idea of creating macros. Macros seem to me to be less intuitive for users than something like an eventtype label might be. I'm also not really sure how they might be performance-wise.

And then this all brings me back full-circle to wondering if I should be doing a combination of tagging here and the eventtype. That is, tag to label hosts as "apache_test" and "apache_prod" so that my eventtype specification is a list of indexes and a single tag="apache_test" entry.

Anyway, I'm looking for advice on my situation. Hopefully someone has done this type of thing before.

Thanks!