Comments (4)
jarpy
commented on July 20, 2024
Working on a patch.
This commit demonstrates a test and a (brutal, incorrect) patch that makes it pass. 417d993
Essentially, the default value of break_on_match = true makes grok bail out after the first array element is evaluated.
from logstash-filter-grok.
jarpy
commented on July 20, 2024
Is break_on_match intended to be mainly a performance optimization? If so, should it default to false, so as not to be a premature one?
from logstash-filter-grok.
jordansissel
commented on July 20, 2024
It wasn't chosen as a performance optimization. It was chosen because it is common to have applications with hundreds or thousands of unique log entries (Elasticsearch has over 1300 of them). This commonality allows you to write specific patterns to parse certain messages you care the most about and have a fall-back case (or several fall-back attempts).
This example also follows with things like syslog-ish formatted messages. One message you may care about the details:
Aug 7 14:10:27 crinkle sshd[10094]: Invalid user foo from ::1
And maybe parse this specially to indicate what user foo failed to login. Other syslog messages you may haven't seen yet or may not care to do additional parsing, but would like to have at least the common header (timestamp, host, app) parsed.
from logstash-filter-grok.
jarpy
commented on July 20, 2024
Thanks Jordan. I get it now.
Appreciate you taking the time.
from logstash-filter-grok.
Related Issues (20)
- Allow grok pattern to be passed in as a parameter HOT 3
- Memory leak on 5.x
- Ability to auto-sort match options by frequency of match HOT 1
- getting values as an array HOT 1
- remove_field not working HOT 2
- "Prefix" functionality for grok HOT 4
- Track number of failed matches when using multiple pattern per field
- Warn when patterns don't have anchors HOT 1
- Significant Performance Regression using Jruby Timeouts HOT 8
- Implement ECS-Compatibility Mode HOT 4
- Logstash pipeline to remove passwords from log data HOT 1
- Using event fileds in configuration options HOT 1
- pure ruby regexp <capture:int> coercion does not work
- captures with same name won't coerce properly
- Logstash for iis SMTP
- Incoherent behavior of field references with overwrite
- [Test Failure] Syslog grok tests are failing on Logstash 8.x
- Behaviour when pattern writes to same input field (without "overwrite" option) HOT 1
- Add property to limit backtracking
- Regression on grok is case of match failure HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from logstash-filter-grok.