Best practice for adding tag in an inexpensive way?

omersiar · April 29, 2020, 7:17am

Hello All,

Trying to understand structure of Logstash pipeline configuration, it seems almost every plugin (that are shipped by default) has some common functions like adding fields, removing tags, etc.

My question is what is the most inexpensive (in context of CPU cycle) way to use them in a pipeline configuration.

Is there any considerable difference between adding a tag with mutate filter or dissect filter? Are they loaded into memory even if I don't use them? If I used dissect plugin one time, should I continue to use it again to add a tag?

    input {
    }

    filter {
      # dissect scope
      dissect {
        # do dissecting
      }
      # then i need to check for conditions for additional tagging
      # then i'm using mutate for adding a tag ?
      # could not i use add_tag alone? inside filter scope? should i go with dissect again?
      mutate {
        add_tag => [ "transactionEnded" ]
      }
    }

    output {
    }

Badger · April 29, 2020, 1:26pm

Yes, if a plugin successfully processes an event then it will "decorate" the event. That means it processes the options that are common to filters such as add_field, add_tag, remove_field etc. Every filter uses a shared library function to do this, so the cost should be the same for every filter.

system · May 27, 2020, 1:26pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Using dissect dynamicly on filepath Logstash docker	5	798	October 22, 2020
What is the significance of add_tags in mutate Logstash	3	415	July 6, 2017
Append tag in Elasticsearch using Logstash Logstash	7	4094	October 26, 2018
Add_tag Logstash	10	5165	July 6, 2017
How can I add an array object to tags using add_Tag Logstash	4	2465	March 2, 2017

Best practice for adding tag in an inexpensive way?

Related topics