Dennis, Thanks for your reply. I have bumped the timeout to 5000ms. I still think the issue is something meta, not the performance of this regex directly, maybe resource contention on the graylog-server node. I'll be writing a Graylog plugin to monitor various metrics within Graylog, Elastic, and Mongo, which will hopefully be able to extend some of the already great metrics provided by the Graylog UI. Maybe I'll find some pressure points in that data.
Thanks again! On Tuesday, July 7, 2015 at 2:11:22 AM UTC-6, Dennis Oelkers wrote: > Hey Jesse! > > We are planning to implement OR-concatenation of rules for the next major > release of Graylog. This will probably help you a lot for this specific use > case to make stream matching faster. Until then, you could try increasing > the “stream_processing_timeout” tunable in your server config. It is > specified in ms and the current default for it is 2000 (2 seconds). Be > warned though that this could have an impact on the overall processing > capacity of your Graylog instance. > > Kr, > D. > > -- > Tel.: +49 (0)40 609 452 077 > Fax.: +49 (0)40 609 452 078 > > TORCH GmbH - A Graylog company > Steckelhörn 11 > 20457 Hamburg > Germany > > Commercial Reg. (Registergericht): Amtsgericht Hamburg, HRB 125175 > Geschäftsführer: Lennart Koopmann (CEO) > > > On 06.07.2015, at 18:02, Jesse Skrivseth <voodo...@gmail.com > <javascript:>> wrote: > > > > I have a stream with one defined regex rule, a simple: > > > > 'source' must match regular expression '(1\.2\.3\.4|9\.8\.7\.6)' > > > > kind of thing. There are 6 IP addresses in this particular inclusive > list. I don't think the regex is performing slowly enough to stop the > stream processing, but perhaps the system as a whole is periodically busy > doing other things which delay the stream processor long enough to > terminate it. It would need to take 2+ seconds to process one of these > matches in order to terminate it, and I highly doubt this regex could ever > take that long. It seems like a "relative vs absolute clock" issue in the > way these are being timed. > > > > It would be nice to just do exact matches on a logical OR list of > values, but as far as I can tell that's not possible. > > > > Any ideas out there? Thanks! > > > > > > -- > > You received this message because you are subscribed to the Google > Groups "graylog2" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to graylog2+u...@googlegroups.com <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > > -- You received this message because you are subscribed to the Google Groups "graylog2" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
