I was having a workshop today, and noticed that a guy kept bringing up dissect and that it is far more powerful from grok. To some extent. My question is, what is better for the use case? This is the filter in my logstash yaml file
filter {
grok {
match => [ "path", "%{GREEDYDATA}/%{GREEDYDATA:filename}\.txt"]
}
grok {
match => {
"message" => "%{DATA:user}[:;]%{GREEDYDATA:password}"
}
}
mutate {
gsub => ["password", "[\n\r\t]", ""]
}
Simple right? It makes sense to me. Ingestion seems fine. I dont seemingly have issues. But he said that dissect will improve a lot of cases. In this use case, am parsing loose user data in order to send out email warnings. It is scrolling through the files, but right now im trying to figure out how to improve the data ingestion.
I am trying to resolve any bottlenecks there may be, and figure that improving logstash is a start prior to iterating on Elasticsearch to improve and optimize there.
I see the information at: https://www.elastic.co/guide/en/logstash/current/plugins-filters-dissect.html and it makes sme wonder how much faster it would be over the 2 matches i have defined above.
Does anyone have pros and cons?