Hi all,
I'm using Logstash 2.3.0 to receive netflow data from nProbe. There are some custom application ports that would be named as Unknown protocol, so I use if/else if in Logstash to check for destination port and rename the protocol to the right name
filter {
if [type] == "netflow" {
if [L4_DST_PORT] in [5601, 5602] {
mutate { update => { "L7_PROTO_NAME" => "Kibana" } }
} else if [L4_DST_PORT] in [9200, 9201] {
mutate { update => { "L7_PROTO_NAME" => "Elasticsearch" } }
} else if [L4_DST_PORT] in [5544, 5545] {
mutate { update => { "L7_PROTO_NAME" => "Logstash" } }
}
}
}
The problem is that if I put this block in Logstash config, the throughput to ES drops from 800-1000 EPS to 200 EPS which is 4 to 5 times less without this if block. nProbe is not a factor in this throughput drop.
Is there any other more efficient ways to achieve this check and mutate task?
Thanks,