Hi Nick, I don't know if the array approach would work (I guess not, but you can try). I would assume that "contains" would be faster than the regex approach, even with more IPs, because your regex would also be complicated.
If you have a really long list of IPs, then it might be worth parsing the IP from the message with mmnormalize, and then doing exact matches with a list of IPs. This in turn could be a condition with multiple ORs or you could put the list of IPs in an array and use foreach. I hope this helps. Best regards, Radu -- Performance Monitoring * Log Analytics * Search Analytics Solr & Elasticsearch Support * http://sematext.com/ On Thu, Jul 30, 2015 at 8:36 PM, Nick Syslog <[email protected]> wrote: > I have multiple incoming messages that I want to filter on the contents of > the message containing an IP address (not a fromhost-ip, etc.) > > As a result this forces me to have to search the actual $msg itself using > either regex or contains... > > with that being said, is it more efficient for me to re_match a multitude > of IP addresses OR'ing them together, or would the following actually work? > > if ($msg contains ["IP1","IP2","IP3"....]) then stop > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
