Multiple vs one filter for different inputs

sastorsl · February 18, 2021, 11:27am

In logstash we have multiple sources of input data - so we use conditionals on a document field (doc_type) to apply the various filters.

Is there any real difference or benefit between having one filter with conditionals inside vs having multiple filters where each filter starts with the conditional?

One filter

filter {
    if [doc_type] == 'type1' {
        grok { ...}
        }
    if [doc_type] == 'type2' {
        grok { ...}
        }
}

Multiple filters

filter {
    if [doc_type] == 'type1' {
        grok { ...}
        }
}
filter {
    if [doc_type] == 'type2' {
        grok { ...}
        }
}

Badger · February 18, 2021, 5:27pm

Not that I can think of. I believe they will be compiled down into the same code.

system · March 18, 2021, 5:27pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.