Best practice when adding event breakers to sources with different teams using the same source?
What's the best practice when adding event breakers to sources with different teams using the same source? E.g. suppose I have a splunk tcp input, and several teams are sending data to it. When I need non-default line breaking, I need to add them to the Event Breakers under Processing Settings. There, I can either add one rule set per team, and each rule set could have any number of rules (e.g. one for this sourcetype, another one for a second sourcetype). I could also add one rule set per sourcetype however. I feel like the Event Breaker rulesets exist to logically group the line breaking rules, e.g. by team - correct?
Answers
-
Correct. If all data comes in on one source you can use the filters in the event breaker rulesets to match the event and break the events. You can add multiple rulesets or multiple event breakers to the source.
0 -
Alright, I just wasn't sure if there was something more behind that which I was missing.
0 -
Thanks!
0
