Most efficient grok approach for ISE logs

grok{match => {"message" => "User-Name=%{DATA:username}[,;]"}}     
grok{match => {"message" => "NAS-IP-Address=%{IP:nas_ip}[,;]"}}
grok{match => {"message" => "NAS-Port=%{NUMBER:nas_port}[,;]"}}
grok{match => {"message" => "Framed-IP-Address=%{IP:framed_ip}[,;]"}}
grok{match => {"message" => "Class=%{DATA:class}[,;]"}}
grok{match => {"message" => "Called-Station-ID=%{DATA:called_station_id}[,;]"}}

is this the most efficient way to grok logs with consistent keywords, but inconsistent order?
i.e. sometimes the keyword User-Name will come before Class and sometimes it will come after

there are some issues that have arrived from doing it this way like it will sometimes match a value twice if the keywords are similar (IPAddress=%{IP:ip}, and Address=%{IP:address} will match the same thing), but I have found ways around all of these through trial and error.

the other issue is performance as it is measurably slower, but it is still fast enough to parse them all in real time

Firstly, you should anchor the pattern at the start of text using ^, anchoring will allow the regex engine to fail matching v early.
grok{match => {"message" => "^User-Name=%{DATA:username}[,;]"}}

Secondly, you can put the patterns in one grok filter and have each one successively evaluated.

  grok {
    match => {
      "message" => [
        '^User-Name=%{DATA:username}[,;]',
        '^NAS-IP-Address=%{IP:nas_ip}[,;]',
        '^NAS-Port=%{NUMBER:nas_port}[,;]',
        '^Framed-IP-Address=%{IP:framed_ip}[,;]',
        '^Class=%{DATA:class}[,;]',
        '^Called-Station-ID=%{DATA:called_station_id}[,;'
      ]
    }
    break_on_match => true
  }

Can you give some configuration references?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.