Best practice for adding tag in an inexpensive way?

omersiar · April 29, 2020, 7:17am

Hello All,

Trying to understand structure of Logstash pipeline configuration, it seems almost every plugin (that are shipped by default) has some common functions like adding fields, removing tags, etc.

My question is what is the most inexpensive (in context of CPU cycle) way to use them in a pipeline configuration.

Is there any considerable difference between adding a tag with mutate filter or dissect filter? Are they loaded into memory even if I don't use them? If I used dissect plugin one time, should I continue to use it again to add a tag?

    input {
    }

    filter {
      # dissect scope
      dissect {
        # do dissecting
      }
      # then i need to check for conditions for additional tagging
      # then i'm using mutate for adding a tag ?
      # could not i use add_tag alone? inside filter scope? should i go with dissect again?
      mutate {
        add_tag => [ "transactionEnded" ]
      }
    }

    output {
    }

Badger · April 29, 2020, 1:26pm

Yes, if a plugin successfully processes an event then it will "decorate" the event. That means it processes the options that are common to filters such as add_field, add_tag, remove_field etc. Every filter uses a shared library function to do this, so the cost should be the same for every filter.

system · May 27, 2020, 1:26pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.