Comments (3)
jordansissel
commented on July 20, 2024
The problem is likely that the use of GREEDYDATA doesn't inform the execution about how to match your data efficiently. You can read more about this kind of phenomenon on what Wikipedia calls ReDoS. Basically, my recommendation is to use the most specific patterns you can, and GREEDYDATA is not very specific (It will match anything or nothing), and such ambiguity can cause the regular expression engine to get bogged down trying to match things.
from logstash-filter-grok.
jordansissel
commented on July 20, 2024
I do believe this to be an example of a pathological regexp that causes your parsing to be so slow or simply appear to be doing nothing but consuming 100% cpu.
from logstash-filter-grok.
jsvd
commented on July 20, 2024
closing this.
two notes about this issue in particular:
- having two consecutive %{GREEDYDATA} patterns makes no sense. if your matching string is something like
Once upon a time, there was a mouse., then the first GREEDYDATA will consume "Once upon a time, there was a", and the second will be "mouse." There's no way for the regex engine to figure out where to start and stop each GREEDYDATA, so it gives as much as possible to the first one. - adding guards to the regex makes parse failure much faster (2x to 5x in this case).
from logstash-filter-grok.
Related Issues (20)
- Memory leak on 5.x
- Ability to auto-sort match options by frequency of match HOT 1
- getting values as an array HOT 1
- remove_field not working HOT 2
- "Prefix" functionality for grok HOT 4
- Track number of failed matches when using multiple pattern per field
- Warn when patterns don't have anchors HOT 1
- Significant Performance Regression using Jruby Timeouts HOT 8
- Implement ECS-Compatibility Mode HOT 4
- Logstash pipeline to remove passwords from log data HOT 1
- Using event fileds in configuration options HOT 1
- pure ruby regexp <capture:int> coercion does not work
- captures with same name won't coerce properly
- Logstash for iis SMTP
- Incoherent behavior of field references with overwrite
- [Test Failure] Syslog grok tests are failing on Logstash 8.x
- Behaviour when pattern writes to same input field (without "overwrite" option) HOT 1
- Add property to limit backtracking
- Regression on grok is case of match failure HOT 4
- Pipeline crashes with undefined method `each' for nil:NilClass error in event filter method
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from logstash-filter-grok.