hi,
to me, the first screen capture looks grim, but in the second capture the figures don’t look so bad.
I don’t know how to optimize GROK inputs. That is why I have switched most of my GROK patterns to regexes. I got a 10-fold performance improvement from that, and then further 2-3 fold improvement after optimizing my regexes.
The only guess on optimizing GROK from me would be that you need to be sure that ALL log lines have all the fields, as failed matches consume resources quite a lot for nothing.