Graylog regexes and metrics

(Cantemir Pop) #1

I just want to ask if I am doing right, and if the metrics at which I am looking at are providing relevant information for what I am trying to do.

I just want to improve message processing. And I am looking at stream rules. since I have a 100 streams with a lot of regexes rules.
I tried to optimize regexes, but with no relevant gain. And I see that is a bigger difference between "match regular expression " vs “match exactly”


1st rule is “match exactly” and the 2nd is “match regular expression”

The difference in performance can be so big between those two?

The rules are (I extracted them from Mongo) :
rs1:PRIMARY> db.streamrules.find({“value”:“xvsvsxlog01”}).pretty()
“_id” : ObjectId(“57f21cbc9932462777242134”),
“field” : “source”,
“stream_id” : ObjectId(“57f21c4a9932de70148a39d0”),
“description” : null,
“type” : 1,
“inverted” : false,
“value” : “xvsvsxlog01”

rs1:PRIMARY> db.streamrules.find({"_id":ObjectId(“580878d8993263699c8523cc”)}).pretty()
“_id” : ObjectId(“580878d8993263699c8523cc”),
“field” : “source”,
“stream_id” : ObjectId(“5808785c9932b701de0b86b2”),
“type” : 2,
“inverted” : false,
“value” : “||”


(Jochen) #2

Yes. It’s the difference between comparing the bytes of two strings (“exact match”) and creating a complex deterministic finite automaton from a string describing a (potentially) complex regular expression.

(system) #3

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.