On Sat, 8 Oct 2016, Radu Gheorghe wrote:
That's right, it's not so much about problems as
conveniency/flexibility. For example, with grok.regex you can specify
optional fields right in the middle of the pattern. With
liblognorm/mmnormalize I have to repeat that rule with and without
that field. If you have 5 of those... you get quite a combinatorial
explosion.
Maybe this particular one is already possible with liblognorm v2? But
anyway, this is just an example. Though I'm looking forward to work
[more] with v2 because it seems much more flexible than v1 indeed.
Yep, one of the things you can specify in the v2 language is alturnatives, and
you can do this either inside a single rule or as a type that you then use in a
rule.
v2 is a massive improvement in terms of flexibility compared to v1
David Lang
--
Performance Monitoring * Log Analytics * Search Analytics
Solr & Elasticsearch Support * http://sematext.com/
On Fri, Oct 7, 2016 at 9:56 AM, Rainer Gerhards
<[email protected]> wrote:
Not speaking for Radu, buy I think he does not have problems, but Grok
rules seem more convenient, and often that's really what they are. That's
where custom types come in: if you have a good base set, then it really is
not much difference in convenience. Unfortunately we don't have this yet.
Rainer
Sent from phone, thus brief.
Am 07.10.2016 18:53 schrieb "Joe Blow" <[email protected]>:
Hey Radu,
Long time listener, first time caller :). What did you have problems with
mmnormalize?
Cheers,
JB
On Fri, Oct 7, 2016 at 12:43 PM, Rainer Gerhards <[email protected]
wrote:
Just to spread the idea: v2 has custom data types and if used correctly,
they provide much of the flexibility of Grok. Unfortunately nobody has
yet
had time to create a set of standard primitive types...
Rainer
Sent from phone, thus brief.
Am 07.10.2016 18:38 schrieb "Radu Gheorghe" <[email protected]
:
Hi,
In the meantime I had quite a lot of experience with both. It sounds
like my initial thoughts were pretty good: mmnormalize is A LOT faster
but less flexible than grok (remember there's mmgrok as well - though
it's quite young and there are no packages, you need to compile
manually).
We've also some performance testing here, if you're interested in
numbers: https://sematext.com/blog/2015/10/16/large-scale-log-
analytics-with-solr/
So I guess at the end of the day it depends on the use-case. In our
production we do a bit of mmnormalize, but with clients
(https://sematext.com/consulting/logging/) I've used both, depending
on the requirements. If I need something quick (as in "short
development time") and performance isn't critical, I tend to go with
Logstash and grok. If I need something fast, it may be worth spending
a bit of time and setting liblognorm rules right.
Best regards,
Radu
--
Performance Monitoring * Log Analytics * Search Analytics
Solr & Elasticsearch Support * http://sematext.com/
On Tue, Oct 4, 2016 at 10:27 AM, [email protected] <
[email protected]>
wrote:
Hi Radu
After reading
http://lists.adiscon.net/pipermail/rsyslog/2013-December/035122.html
and
considering several years have passed, I would like to get some
feedback
of
your experience, to help me choose between raw forwarding
messages+logstash
or split before forwarding with mmnormalize.
If this decision should've been made today, what you would've
choosen?
Of course, everybody is welcome to join the thread.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
myriad
of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T
LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
