Hello All,
My logstash configuration have almost 1500+ lines of code where i am taking input from beats and applying filters for extracting fields of various log types and output to kafka. Is there any way to handle huge configuration files or any best practices for logstash parsers?
Thanks in advance.
I'd split that file into multiple files, but apart from that it's hard to give advice without seeing what it looks like.
I'd also strongly suggest using my tool Logstash Filter Verifier to test your filter configurations.
Does this means splitting 1 large conf to many confs and run multiple logstash instances?
This is awsome i will try this tool.
Thanks in advance.
Does this means splitting 1 large conf to many confs and run multiple logstash instances?
That's one possibility, but I was thinking of splitting into multiple files and running a single instance.
Heres the filter part of my conf. Please suggest on this.
Thanks in advance.
I obviously haven't studied all 2000 lines in any detail, but a few things stand out:
if [source] == "/archives/log/10.90.250.151.log" etc) is probably not a great idea.can u please suggest any best practices for maintaining logstash parser confs where we have custom log patterns (other than usual standard log patterns provided by vendors).
I don't think I have any particular suggestions. In what way is your current situation unmanageable?
with number of conf lines increased, we were facing latency for logs getting parsed. How to efficiently handle in this scenario? By writing multiple confs will improve performance? If so how to do this?
Have you looked into using the Logstash monitoring API to see which filters are adding the most time to the processing?
But as I said, reduce the amount of DATA and GREEDYDATA patterns. Don't spend time on other optimizations until your grok expressions have been cleaned up.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.