Best way to right grok filters

Hi all,
We can use two approaches to right a grok filter as follows. My concern is what is the best approach performance wise?

1st Approach
Having a single grok for all the variables

grok {
match => { "message" => "[%{TIMESTAMP_ISO8601:timestamp}] %{LOGLEVEL:level}}
}

2nd Approach
Having separate grok filters per variable

grok {
match => { "message" => "[%{TIMESTAMP_ISO8601:timestamp}] }
}

grok {
match => { "message" => "%{LOGLEVEL:level}}
}

The first approach will result in less back-tracking and be more efficient.

Also, anchor your patterns whenever possible.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.