Swap host value with node value if host value=127.0.0.1

[GoogleCodeExporter]

If logs are received locally on a Node instance, the host field has a value of 
127.0.0.1.  It would be more useful if the host field were replaced with the IP 
of the node.

From you:

As to displaying which node the logs came from, while the "node" field is sent 
in the record already, it's just not displayed.  I'd have to make a change to 
include it.  I suppose I could do a client-side check to see if host=127.0.0.1 
and node is something different, then swap them.  Would that make sense?

and...

No overhead, the Javascript would handle it.  It should be very quick 
to code, but so I can track it, would you mind pasting this in as a 
feature req?  Thanks! 

Original issue reported on code.google.com by jeffrey....@gmail.com on 23 Aug 2012 at 10:39

[GoogleCodeExporter]

K, I have this ready to go, but one more thought: would it be better to simply 
include node=x.x.x.x as a standard field in addition to host, regardless of 
whether or not host was 127.0.0.1?

Original comment by mchol...@gmail.com on 24 Aug 2012 at 5:27

• Changed state: Started
• Added labels: Type-Enhancement
• Removed labels: Type-Defect

[GoogleCodeExporter]

My opinion is that exposing that wouldn't hurt.  I don't think it would clutter 
the results unnecessarily...but I had already thought about this and I was 
wondering if it would look better as a separate column in the query results 
akin to Info & Timestamp?  And along the same vein of thinking, I was wondering 
if it would also be helpful to add a column for the Program too?

I was demo'ing to a co-worker today and showed them the power of querying just 
based on a keyword or IP rather than querying a specific logtype and showed how 
easy it was to correlate events, but they mentioned that it wasn't very 
intuitive to see which log types were being displayed.

I wouldn't want to have 'Field' creep occur and make the query results too 
specific, but I think:

| Info | Node | Program | Timestamp | Results/Fields |

would look pretty good and have all the pertinent high-level data most analysts 
would want to be able to see/sort at a glance.

Original comment by jeffrey....@gmail.com on 24 Aug 2012 at 5:40

[GoogleCodeExporter]

Or maybe:

| Info | Timestamp | Node | Program | Fields |

Original comment by jeffrey....@gmail.com on 24 Aug 2012 at 5:51

[GoogleCodeExporter]

Ok, good points.  Early versions (non-published) of ELSA had host and program 
broken out as separate columns, but we found that the screen real estate was 
too valuable to include them.  I suppose that varies org to org.  One feature 
I'm strongly considering adding is the ability to view the logs in a grid 
format versus the current WELF-style which is good for non-parsed logs, but not 
as good for field-based data.  The grid would be a simple table where each 
field has a column.  You could switch between these views with a Javascript 
toggle button of some sort.  Do you think that would solve your use case?

Original comment by mchol...@gmail.com on 24 Aug 2012 at 5:58

[GoogleCodeExporter]

A toggle for WELF-style and grid format would be great...but I think something 
that would make it a Super Feature™ is if in grid view, you could further 
toggle which columns to display, due to the premium on screen real-estate you 
mentioned.

Because if you did a keyword query and your results contained 7 different log 
types that contained ~30 different fields amongst them, that would be a bunch 
of columns.  If you could toggle/hide some of them, that'd be pretty powerful 
from a UI perspective.  This should probably be in a different FR, eh?

Our value in having the node displayed as a separate column and making it a bit 
more prominent of a data point is that we'll be running with multiple nodes.  
As I understand it, in your environment, you primarily rely on one node?

And I think because ELSA is so great at dealing with whatever kind of logs you 
want to throw at it, that being able to quickly/easily differentiate between 
the log types is helpful (but maybe not 'necessary').  Just a matter of 
prioritization.

To answer your question, I think if the node value was exposed and you could 
toggle between grid views with sortable columns, this would definitely solve 
our use-case.

And it would be awesome if we could alternatively use a unique, assigned string 
for the node as opposed to the node IP, if we wanted.  ;)

Original comment by jeffrey....@gmail.com on 24 Aug 2012 at 6:09

[GoogleCodeExporter]

Ok, so what if the elsa_web.conf has a configuration for specifying which of 
the standard columns (host, program, node) are displayed by default?  I can 
leave the node-host swap code in as well.  I think I need to ruminate on the 
grid layout a bit more.

Also, our org has multiple nodes, but they are load balanced, so the node value 
is irrelevant.

Original comment by mchol...@gmail.com on 24 Aug 2012 at 1:31

[GoogleCodeExporter]

That would be perfect for me.  With the ability to toggle fields, this 
enhancement shouldn't annoy anyone.  And hopefully other pople find it useful.  
Win-win?

Original comment by jeffrey....@gmail.com on 24 Aug 2012 at 2:15

[GoogleCodeExporter]

This is added in rev 390.

Original comment by mchol...@gmail.com on 24 Aug 2012 at 3:11

• Changed state: Fixed