Because I have lots of Logstash configuration files with complex filter definitions (grok, etc…).
I don’t wanna use Graylog extractors to do the (grok) filtering because
(a) there are lots of existing Logstash config files and it would be a huge effort to re-write them in graylog extractors.
(b) I’d have to upscale my graylog cluster (currently 3 nodes) to n nodes so that it can handle the additional grok filtering nodes. imho its cleaner from an architectural point of view to have a separate Logstash cluster to do this.
What do you think?