High CPU usage when log format not matching with filter rule

CPU utilization increases when data comes in that it does not meet the set rules.(grok pattern)
Isn't there a defense logic to this phenomenon, such as preventing data from entering in case of failure of parsing?

Patterns that do not match can be very expensive if they include multiple DATA or especially GREEDYDATA fields. The grok filter includes a timeout to limit the CPU that non-matching patterns can use. The default is 30 seconds per pattern.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.