The content pack creation workflow is based on several concepts and terms. You should get familiar with them in order to create and maintain content packs effectively.
Only vRealize Log Insight administrators can import a content pack file as a content pack. If a content pack is imported as a content pack it cannot be edited.
All users can import a content pack file into a user space. If you import a content pack file into a user space, the operation selectively imports the objects under My Content. When you import a content pack into a user space, you can edit the content packs in a vRealize Log Insight instance. If you want to publish or modify a content pack you need an exported content pack.
Content packs are created in part from the content saved under Custom Dashboards, also known as user space, or more specifically either My Dashboards or Shared Dashboards on the Dashboards page. While objects from a custom dashboard can be selectively exported, it is recommended that every individual content pack be authored by a separate user entity invRealize Log Insight to ensure a clean user space per content pack.
For information on creating users in vRealize Log Insight, see the VMware vCenter Log Insight Administration Guide.
Use a separate content pack author user in vRealize Log Insight for every content pack you create.
It is essential to collect relevant events before attempting to create a content pack to ensure that a content pack covers all relevant events for a product or an application. One common way to collect relevant events is to ask quality assurance and support teams as these teams usually have access to, and knowledge about common events.
Attempts to generate events while you create a content pack are time consuming and results in missing important events. If QA and support teams are unable to supply events, you may simulate events and use them instead if product or application events are known and documented.
Once you collect the appropriate logs, they must be ingested into vRealize Log Insight.
The authors of a content pack need to have the following qualifications:
Experience using VMware vRealize Log Insight.
Real world operating knowledge of the product or application.
Understanding and ability to generate optimized regular expressions.
Experience debugging multiple problems with product or application using logs.
Support background, with exposure to a myriad of problems.
System administrator background with previous syslog experience.
The recommended approach for content pack creation is to start on the Interactive Analytics page and begin querying for specific types of events such as error or warning. Look at the results of the queries and analyze and extract potential field candidates as appropriate. With some understanding of the types of events and useful pieces of information available in the events, construct and save relevant queries as appropriate. For queries that highlight an issue that needs a quick action, create and save alerts. As you save queries, remove them from the results list using a filter to show other events that may be potential candidates for new saved queries. Once you save all relevant queries, organize and display them in a logical manner on the Dashboards page.