Performance grok vs mutate on finding message level


(Michael Li Zhou) #1

I have a log that is filled with nonsense data. So I am keeping it simple with a grok match only date than greedydata everything else. Halfway into the message I am given a message level i.e. info, error, ... that I need to track down.

So my question is what is better for performance grok and match each of these nonsense data that I do not know how to categorize

OR:

just use conditions and check if message contains error, info, debug

I ask because I have heard that grok takes a lot of resources but these conditionals may use just as much.

Thanks,
M


(Mark Walkom) #2

This is really something you'd want to test on your own data.


(system) #3