Distributed Aggregation Rules

Starting from LogLogic LMI 6.3.0, you can create an aggregation rule on a Management Station and distribute the rule to multiple Remote Appliances in the setup.

Using the distributed aggregation rule, you can run an optimized search query on the Management Station, which in turn runs on the specified Remote Appliances. The results from the specified Remote Appliances are consolidated by the Management Station.

Requirements to use distributed aggregation rules

You can use distributed aggregation rules in Advanced Search if all of the following requirements are met:

  • The Management Station setup includes the required Remote Appliances. For information about how to set up a Management Station, see Manage Appliances with Management Station in the TIBCO LogLogic® Log Management Intelligence Administration.
  • You have permission to access the Remote Appliances and devices on which the search query is to be run.
  • Advanced Features are enabled on the Management Station and Remote Appliances.
  • Advanced Aggregation is enabled on the Management Station and Remote Appliances.

Important Considerations

  • After the aggregation rule is created and distributed, the rule can be modified or deleted only from the Management Station GUI. The rule cannot be modified or deleted from the GUI of Remote Appliances.
  • After the aggregation rule is created and distributed, if you change the Management Station setup (add or remove Remote Appliances), the rule is redistributed to only those appliances to which the rule creator user has access.

Creating distributed aggregation rules

You create an aggregation rule on the Management Station and specify the list of appliances to which the rule is to be distributed. The rule is then distributed to the specified appliances. You specify the appliances using the appropriate values in sys_concentratorId column or the DeviceInGroup function.

Modifying distributed aggregation rules

If you modify a distributed aggregation rule on the Management Station, the rule is also updated on the appliances where the rule had been distributed at rule creation time. You can modify other fields and parameters in the rule except the list of appliances. If you want to modify the list of appliances in the distributed aggregation rule, you must delete the existing rule and create a new one for redistribution.

Deleting distributed aggregation rules

If you delete a distributed aggregation rule on the Management Station, the rule is also deleted on the Remote Appliances. However, if the appliances registered in the Management Station are modified after rule creation time, then the rule is deleted from only those Remote Appliances that are members of the Management Station at deletion time. When a rule is deleted, all aggregated data created by that rule is also deleted.

Searching using the distributed aggregation rule

If you run an optimized Advanced Search query on a Management Station, the query is run on all appliances specified in the aggregation rule, and the results are consolidated by the Management Station. The query is run on only those appliances that are accessible at run time, and search results from only those appliances are consolidated by the Management Station.

You can run the optimized distributed query by specifying the exact rule query or by using a filter Blok created for the rule.

Example using a query:
USE LogLogic_Appliance | GROUP BY ll_pRuleID | sys_concentratorId = 'ALL'
Example using a filter Blok: If you save the query as a filter Blok LogLogicApplianceBlok, you can search using the filter Blok:
filter.LogLogicApplianceBlok

Limitations and errors

Limitations
  • You cannot use the Tail functionality in distributed aggregation rules.
  • You cannot use Enrichment Lists as a value in the sys_concentratorId parameter and in the DeviceInGroup function in distributed aggregation rules.
Errors
An error is displayed if:
  • The specified appliance shortcut is invalid.
  • An appliance specified in the distributed query is not a member of the Management Station setup.
Related concepts