I have written some grok patterns to parse Barracuda Spam Firewall Mail log. I initially used patterns like
WORD.It turned out that some number fields contained a
- or some weird characters, so I replaced those patterns with NOTSPACE which has worked fine so far.
I haven't used grok a lot, so I wonder if there are any reasons not to use NOTSPACE like:
- regex performance concerns among NOTSPACE vs NUMBER, WORD, IPORHOST, etc.?
- don't want to insert a text value into a number field in ES (let the grok fail instead)?
- anything else?