In my (many, many) filters I use both grok and dissect but I wonder what's recommended? is one faster then the other?
Dissect is faster than grok. It's functionality is much simpler.
Grok is more of an heavy duty gun which can parse all Text for which you can find a Regex (which are a lot), but because of the Regex parsing it is slower then the Disect which simply goes through the text from beginning to end and searches for the defined delimters.
In almost all cases Disect wil be faster. The only Exception i can think of if you search for a string at the end of your input text, for which grok could be faster because you can ancor the search from the end. (No real proof/data as evidence for that only my guess)
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.