Good grok debugger needed / benefit grok vs plain regex?


#1

Hi all,

since I love regex101.com I used plain regex in my grok match clauses until now. Unfortunately there you cannot use the patterns which are supported by grok.

Are there any grok debuggers which are same as user friendly as 101regex.com?

  • I like the following there:
  • highlighting of the fields
  • on the fly parsing (no need to hit simulate / parse button)
  • shows number of steps and ms needed for parsing. (found out some nasty regex errors in my query which slowed down the query massively)
  • ...

Other question:
are there any benefits beside the possibility of using patterns (which of course simplifies reading the code) when using grok instead of plain regex? Especially in terms of performance.

Thanks, Andreas


(Paris Mermigkas) #2

I don't believe there's a debugger other than http://grokdebug.herokuapp.com (which you are probably aware of), but it doesn't provide most of the additional specialized features you are looking for, like steps/timings per pattern.

For that one I could suggest having a look at https://www.elastic.co/blog/do-you-grok-grok, there is a script included in that article that can help you benchmark different grok or pure regex patterns, which should be much more indicative than the regex101's times (although they are a pretty good indicator in general).

As for the benefit of using grok patterns, it's just readability. Internally it's expanded in it's actual regex equivalent, which you can see in the /patterns files.

But if you are trying to squeeze out every bit of performance from your pattern matching, out-of-the-box grok expressions are a double-edged sword since a few are overly complicated or generic (i.e. IP patterns trying to actually validate IPs).
In my opinion, the best compromise is to either edit those pattern files or add your own to have your efficient regex expressions as grok patterns. That way you still have the readability without sacrificing performance on needlessly complicated patterns.


(system) #3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.