A single grok filter can have a list of patterns to process, so you do not need one grok filter per pattern. By default the filter will stop processing patterns once a match is found. You could therefore rationalise your example to something like this:
grok {
match => { logs => [".*fence timeout.", ".*Unable to handle kernel paging request at virtual address.*"] }
add_field => {"tagName"=>"SYS_SW"
"module" => "syssw"}
add_tag => ["SUCCESS"]
}
I also see that your patterns are not anchored at the start of the entry. You can gain a lot of performance by doing this, as outlined in this blog post.
If you can have a separate grok or dissect filter to capture any common prefix, e.g. timestamps and severity in one field and the rest in another, you can run anchored patterns against the latter, which most likely will greatly improve performance.
In that case you can naturally not condense them as I suggested. Processing that many grok expressions will probably result in a very large config with a large number of conditionals to only process if a match has not already been found. I would expect this to be both CPU intensive and slow unless you can anchor the majority of those patterns and process them first (before any that are not anchored).
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.