It would be great if there were some means to automatically select the respective normalizers automatically. This would reduce the implementation overhead and also help us select the best available normalizers. We could leave a process to analyze the logs and find the normalizers it requires at the start of the implementation and allow it some time to process.
What are the limitations/drawback for doing so?
I can se a couple of problems in this:
1: Unneccesary overhead due to multiple normalization rules needed to be evaluated before finding a match
2: Some device types have “common” catch-all rules that will only normalize some parts of the entire log event, preventing which means that if there are any better suited normalization rules that are coming after that rule will never be evaluated and you’ll end up with bad normalizations. These “catch-all” normalization packages should always be placed at the bottom in your normalization rule.
Already have an account? Login
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
