Creating a Multi-Cluster View using LogScale UI

Creating a Multi-Cluster View within the LogScale User Interface is a multi-stage process:

  1. Obtain a Repository API Token for each repository that will be part of the multi-cluster view. This will provide the multi-cluster cluster with the required API information to access the data in the remote repository for each remote cluster.

  2. Create a multi-cluster view, configured with the URL and repository API token.

Creating an API Token for an Existing Repository

Creating a Multi-Cluster View requires a repository token for each remote repository. To obtain a Repository token:

  1. Open the remote cluster where the repository is located

  2. Choose the repository that will be part of multi-cluster view, and then choose Settings to open the repository page.

  3. Choose Tokens from the sidebar. Click + Add new to create a new repository token.

  4. Choose the Data read access permission from the list, give the token a name, and then click Create token. This will generate a random string that will need to be copied and retained so that it can be added to the multi-cluster view configuration.

    To provide additional security, you can apply an IP filter to the token which can limit the token to work only with a single IP address. See IP Filters.

    Important

    The repository token string will not be shown again, and cannot be recovered. Make sure to copy the token before closing the prompt.

The process can be repeated on each cluster and repository that will be part of the multi-cluster view.

For more information on creating and using Repository API tokens, see Repository and View API Tokens.

Creating the Multi-Cluster View

The Multi-Cluster View connects each remote repository, and one local repository, into a single Multi-Cluster View that can be used to search across all the repositories.

Before creating your Multi-Cluster View, ensure you have a suitable Repository API Token for each remote repository that will be included as part of the Multi-Cluster View.

To create a Multi-Cluster View:

  1. Go to the Repositories and views page. Click the +Add new button.

  2. Click the Multi-Cluster view card. The New multi-cluster view page will be displayed.

    The following information can be provided:

    • Name (Required)

      The name of the Multi-Cluster View

    • Description

      A description of the view.

    • Event filter

      An iomplied filter for events from the repository.

    • Cluster identity tag

      The name or idnetifier for the remote cluster. When set, adds a #clusteridentity field to events coming from this connection in the result set. This enables filtering or identification of the source of an individual event.

    Remote cluster connections provide the information about each remote cluster that will be included within the multi-cluster view. The view is configured to use the repository or view API token (which automatically identifies the repository or view):

    • Remote cluster URL (Required)

      The URL of the remote cluster, for example, https://remote.example.com

    • Repository or view token secret (Required)

      The Repository API token string created (see Creating an API Token for an Existing Repository).

    • Event filter

      An optional event filter that will filter the events during any multi-cluster search request.

    • Cluster identity

      The name or idnetifier for the remote cluster. When set, adds a #clusteridentity field to events coming from this connection in the result set. This enables filtering or identification of the source of an individual event.

    To add further connections, click the + Add connection button and provide the same information for each new repository.

    To delete a connection, click the trashcan item next to each line.

  3. An optional local repository or view can be added to the multi-cluster view. To configure:

    1. Select the Repository or view from the pop-up menu.

    2. Add an optional Event filter to be used to filter events before they are included in the multi-cluster view.

  4. Click the Create multi-cluster view button to create the view.

Viewing an Existing Multi-Cluster View Settings

Existing Multi-Cluster views can be viewed and updated by going to the Settings of the Multi-Cluster view. This will also show the current status of the multi-cluster view, and the active connections to remote clusters.

From here you can perform the following actions:

  • Add new connections by clicking the + Add connection button. This will prompt the Add new local repository or view connection window.

    New connections required the cluster URL, Repository API token and optional event filter.

  • To delete an existing remote repository, click the ⋮ and choose Remove connection.

  • To add a connection to a local repository, click the + Add connection button next to the Local cluster connection and then configure the name an event filter of the local repository.