I am trying to update my Logstash configs to be the best they can be.
If I am looking for a string within a field, which way is the "best" way, in terms of performance?
Option #1
if [message] =~ /(?i)(QNAME)/ {
Option #2
if "QNAME" in [message] {
Follow up question for Option #2. Does it care about case sensitivity ?
... in ... is case-sensitive and Logstash translates it into something like ...include?(...) and therefore the performance for a case-sensitive search for a sub string would be better this way: http://www.mervine.net/ruby-methods-vs-regex
But if you need it to be case-insensitive I'd use a regex. (Another option would be to use Ruby and compare the strings with ....upcase.include?(...), but I'd consider this to be pretty laborious and confusing in the context of a Logstash config file.)
Yea I will pass on Ruby.
Regex is how I had been doing it, but if I am looking for a specific string, in a specific case, I use the ..in.. method. But I figured I needed to get every check to be standardized. It's rough across 45 sites and nearly 200 ingest points. But I gotta get it done.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.