The content pack creation workflow is based on several concepts and terms. You should get familiar with them in order to create and maintain content packs effectively.
Instance
Only administrators or users with edit or full access to the Content Packs permission can import a content pack file as a content pack. If a content pack is imported as a content pack, it cannot be edited.
All users can import a content pack file into a user space. If you import a content pack file into a user space, the operation selectively imports the objects under My Content. When you import a content pack into a user space, you can edit the content packs in a VMware Aria Operations for Logs instance. If you want to publish or modify a content pack you need an exported content pack.
User
Content packs are created in part from the content saved under Custom Dashboards, also known as user space, or more specifically either My Dashboards or Shared Dashboards on the Dashboards page. While objects from a custom dashboard can be selectively exported, it is recommended that every individual content pack be authored by a separate user entity inVMware Aria Operations for Logs to ensure a clean user space per content pack.
For information about creating users in VMware Aria Operations for Logs, see Managing VMware Aria Operations for Logs User Accounts.
For information about creating users in VMware Aria Operations for Logs, see the VMware Aria Operations for Logs Administration Guide.
Use a separate content pack author user in VMware Aria Operations for Logs for every content pack you create.
Events
It is essential to collect relevant events before attempting to create a content pack to ensure that a content pack covers all relevant events for a product or an application. One common way to collect relevant events is to ask quality assurance and support teams as these teams usually have access to, and knowledge about common events.
Attempts to generate events while you create a content pack are time consuming and results in missing important events. If QA and support teams are unable to supply events, you may simulate events and use them instead if product or application events are known and documented.
Once you collect the appropriate logs, they must be ingested into VMware Aria Operations for Logs.
Authors
The authors of a content pack need to have the following qualifications:
- Experience using VMware Aria Operations for Logs.
- Real world operating knowledge of the product or application.
- Understanding and ability to generate optimized regular expressions.
- Experience debugging multiple problems with product or application using logs.
- Support background, with exposure to a myriad of problems.
- System administrator background with previous syslog experience.
Workflow
The recommended approach for content pack creation is to start on the Explore Logs page and begin querying for specific types of events such as error or warning. Look at the results of the queries and analyze and extract potential field candidates as appropriate. With some understanding of the types of events and useful pieces of information available in the events, construct and save relevant queries as appropriate. For queries that highlight an issue that needs a quick action, create and save alerts. As you save queries, remove them from the results list using a filter to show other events that may be potential candidates for new saved queries. Once you save all relevant queries, organize and display them in a logical manner on the Dashboards page.