The two main benefits of using client data sources. The first of which you are already aware of. Using child datasources will extend your Receiver data source limit past 255. The secondbenefit is for grouping purposes. All client data sources will use the same parser type designated by the parent data source configuration. This provides easier viewing of similar data source types by highlighting the parent datasource when viewing events in the navigation tree. This also allows for easier editing and client additions to the group just by adding the name and IP address instead of all the selected parser details. You can also export the datasources to csv and take advantage of the formatting and just add new clientslisted under the parent then import the csv back into the Rec and the new clients will be listed.
Let me know if you have any additional questions in regardsto Client data sources.
To give you a real-life example for a large enterprise (which hopefully gives you a warm but maybe not fuzzy). In our environment we have Parent data sources split up by a specific device type, ie WindowsOS. Depending on how many individual devices you have coming in you could make multiples (ie WindowsOS_1, WindowsOS_2, WindowsOS_3, and so on). The Parent data source is setup with a dummy ip that doesn't exist and our client data sources are set to "match on IP", we then add our real clients as "child sources". This way we have all device-specific data in order for easy management.
-Know how many different data sources your environment currently has
-Know approximiately how many possible data sources you may add in the near future
-Know a good estimate of your event rates for the data sources (useful for determining which devices to put on which receiver -- if you have multiples)
-Come up with a good way to group your data sources (ie by device, by division, by OS/App, etc)
-Draw out your plans on a white board or paper to get a good view of what you will be doing
I just thought of another major benefit for Parent > Client (not child) data source configurations.
Policy rollouts. You are most likely already familiar with seeing the millions of innocuous (noise) events generated by Windows systems on a daily basis. Creating discard (filtering) rules can be very useful to a Receivers performance and for viewing and reporting on the useful Windows WMI events.
When using a Parent > Client configuration, rolling out policy after creating new or modifying existing rules, would only need to be rolled out to one system rather than (in some cases) hundreds of systems. This is a big time savor when working with regex string creating filtering (discard) rules that many times need to be tweaked along the way.
Creating a custom policy with all windows systems under this policy will give you the same benifity, but you have to initially have to drag one system at a time under the custom policy before being able to use the customer policy folder and you must remember to do the same for all new windows systems you add. So I favor the Parent > Child configuration over custom policy.
This is a key benefit when working with WMI default rules and or custom filtering rules.
Message was edited by: tnitro on 12/21/12 3:14:11 PM CST
You mentioned to "export the datasources to csv and take advantage of the formatting and just add new clientslisted under the parent then import the csv back into the Rec and the new clients will be listed." I am adding over 100 wireless APs as datasources now. could you please give more information? I have use following method to do the zone management. Is it the same?
1) export the file
Note: You can only make changes to the top level zone, not the sub zones
2) make a copy of the file
3) remove all lines that are for sub zones while keeping the top level zones and the header line
4) put REMOVE in front of the remaining top level zones and import the file
5) make any changes needed to the backup file from step 2
6) put ADD in front of every line in the file except the header
7) import the file.