Hi all,
We can use two approaches to right a grok filter as follows. My concern is what is the best approach performance wise?
1st Approach
Having a single grok for all the variables
grok {
match => { "message" => "[%{TIMESTAMP_ISO8601:timestamp}] %{LOGLEVEL:level}}
}
2nd Approach
Having separate grok filters per variable
grok {
match => { "message" => "[%{TIMESTAMP_ISO8601:timestamp}] }
}
grok {
match => { "message" => "%{LOGLEVEL:level}}
}