Not speaking for Radu, buy I think he does not have problems, but Grok rules seem more convenient, and often that's really what they are. That's where custom types come in: if you have a good base set, then it really is not much difference in convenience. Unfortunately we don't have this yet.
Rainer Sent from phone, thus brief. Am 07.10.2016 18:53 schrieb "Joe Blow" <blackhole...@gmail.com>: > Hey Radu, > > Long time listener, first time caller :). What did you have problems with > mmnormalize? > > Cheers, > > JB > > On Fri, Oct 7, 2016 at 12:43 PM, Rainer Gerhards <rgerha...@hq.adiscon.com > > > wrote: > > > Just to spread the idea: v2 has custom data types and if used correctly, > > they provide much of the flexibility of Grok. Unfortunately nobody has > yet > > had time to create a set of standard primitive types... > > > > Rainer > > > > Sent from phone, thus brief. > > > > Am 07.10.2016 18:38 schrieb "Radu Gheorghe" <radu.gheor...@sematext.com > >: > > > > > Hi, > > > > > > In the meantime I had quite a lot of experience with both. It sounds > > > like my initial thoughts were pretty good: mmnormalize is A LOT faster > > > but less flexible than grok (remember there's mmgrok as well - though > > > it's quite young and there are no packages, you need to compile > > > manually). > > > > > > We've also some performance testing here, if you're interested in > > > numbers: https://sematext.com/blog/2015/10/16/large-scale-log- > > > analytics-with-solr/ > > > > > > So I guess at the end of the day it depends on the use-case. In our > > > production we do a bit of mmnormalize, but with clients > > > (https://sematext.com/consulting/logging/) I've used both, depending > > > on the requirements. If I need something quick (as in "short > > > development time") and performance isn't critical, I tend to go with > > > Logstash and grok. If I need something fast, it may be worth spending > > > a bit of time and setting liblognorm rules right. > > > > > > Best regards, > > > Radu > > > -- > > > Performance Monitoring * Log Analytics * Search Analytics > > > Solr & Elasticsearch Support * http://sematext.com/ > > > > > > > > > On Tue, Oct 4, 2016 at 10:27 AM, mosto...@gmail.com < > mosto...@gmail.com> > > > wrote: > > > > Hi Radu > > > > > > > > > > > > After reading > > > > http://lists.adiscon.net/pipermail/rsyslog/2013-December/035122.html > > and > > > > considering several years have passed, I would like to get some > > feedback > > > of > > > > your experience, to help me choose between raw forwarding > > > messages+logstash > > > > or split before forwarding with mmnormalize. > > > > > > > > If this decision should've been made today, what you would've > choosen? > > > > > > > > Of course, everybody is welcome to join the thread. > > > > > > > > _______________________________________________ > > > > rsyslog mailing list > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > http://www.rsyslog.com/professional-services/ > > > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > > myriad > > > of > > > > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > > DON'T > > > > LIKE THAT. > > > _______________________________________________ > > > rsyslog mailing list > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > http://www.rsyslog.com/professional-services/ > > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > myriad > > > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > > > DON'T LIKE THAT. > > > > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > > DON'T LIKE THAT. > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
