Expensive if statement in Logstash config

anhlqn · April 14, 2016, 5:44pm

Hi all,

I'm using Logstash 2.3.0 to receive netflow data from nProbe. There are some custom application ports that would be named as Unknown protocol, so I use if/else if in Logstash to check for destination port and rename the protocol to the right name

filter {
if [type] == "netflow" {       
        if [L4_DST_PORT] in [5601, 5602] {
            mutate { update => { "L7_PROTO_NAME" => "Kibana" } }        
        } else if [L4_DST_PORT] in [9200, 9201] {
            mutate { update => { "L7_PROTO_NAME" => "Elasticsearch" } }    
        } else if [L4_DST_PORT] in [5544, 5545] {
            mutate { update => { "L7_PROTO_NAME" => "Logstash" } }
        }
	}
}

The problem is that if I put this block in Logstash config, the throughput to ES drops from 800-1000 EPS to 200 EPS which is 4 to 5 times less without this if block. nProbe is not a factor in this throughput drop.

Is there any other more efficient ways to achieve this check and mutate task?

Thanks,

Topic		Replies	Views
Any alternatives to if and mutate? Logstash	3	693	July 6, 2017
Logstash Conditional format? Logstash	3	980	July 6, 2017
Logstash and netflow filter problem / question with filter and if[exp] Logstash	2	697	July 25, 2017
Logstash filter section problem Logstash	3	673	July 24, 2017
CheckPoint Netflow and Elasticsearch Logstash	9	2069	October 15, 2017

Expensive if statement in Logstash config

Related topics