Performance: Stream Rule vs Pipeline Rule?

Is it more computationally efficient to filter with a stream rule or a pipeline rule?

I have a dedicated input for my VMware syslog. To move toward dropping the debug noise I have a stream with rules for level = 7 and source = 5d66e177775fb801f6d027bd (the input id).

Would it be better to use a pipeline rule to drop all messages originating from that stream? Or should I forget about using a stream rule, feed the All Messages stream into a pipeline rule, and perform my filtering there?

the question is more what is your goal.

Did you want to keep those messages to have them in the case you might need them or did you want to reduce the noise and drop the unwanted messages.

Drop with extreme prejudice. If we need level 7 debug for whatever reason I can temporarily disable the ruleset.

I would personal do all processing in the pipelines.

that includes dropping and routing of the messages.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.