I have couple of streams, and I’d like to profile/optimize them. For example, one stream has 2 rules:
- message regex match
I’m not sure how does the graylog apply those rule to the stream. Is it in order? Since level:<=4 is quick int compassion, while regex match is quite an expensive operation comparatively.
Also does adding new rules help in some cases? As in former stream rule, message regex match would be sufficient, however, I have a hunch level:<=4 benefits the performance since it reduces messages needed for regex match by 50 times.
Is it possible to have stream cascade, that is have “Warning stream” for example which will filter about 98% of messages, then other streams working on “warning stream” with more complex rules?
Lastly can I see somewhere how much time each rule/stream takes per message, and how many messages per second are they processing?