Auditbeat "drop_event" regex performance?

I'm wondering which of these drop_event formats will give the best run time? Thanks!

> - drop_event:
> "root|daemon|bin"


- drop_event:
        - "root"
        - "daemon"
        - "bin"


> - drop_event:
>     - "root"
> - drop_event:
>     - "daemon"
>  - drop_event:
>     - "bin"

bump :slight_smile:


Pure guess from fastest to slowest I would go with:

But that is pure guess, I would think you are not getting any interest because we're all very nerdy scientific-ish people who know that the only way to know is to benchmark it on a big enough sample to reveal variance, if any variance is to be found. :slight_smile:

Do you know about the --once flag?

Consider that you can configure filebeat to output events to a local file or the console or filebeat own logs... To eliminate the factor of sending to a "true" output with latencies and all (which is not what you want to benchmark).

So you could, for example use a simple time command to start filebeat interactively in your terminal while it's configured to output to a really fast output mentioned above.

With a big enough input sample of like 50/50 events to be droped/kept, with the once command flag and a fast output, multiple runs to eliminate inter-test variance and outliers. I'm guessing you'd be able to time filebeat performance and get a definitive answer.

Let us know,


1 Like

Also consider this:

Since it could have impact here. You could benchmark this also :slight_smile:


Appreciate the response! I was hoping whoever wrote the drop_event code to just know, but your guess is the same as mine. In a perfect world, all 3 would have the same runtime :stuck_out_tongue:.

I'll stick to using #2, and if performance ever becomes a problem, I'll spend some time benchmarking. Thanks!

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.