I also believe that grok parsers can be added through configuration only, without having to compile a parser.
You can add a parser configuration targeting the basic grok parser and just provide the grok parser rules. Just as a heads up, I’m currently working on the parsers to allow for writing and maintaining parsers outside the metron code tree, including providing a maven archetype. This will allow you to create parsers without having to maintain a fork etc. Keep an eye out for METRON-258 as a PR on the list. On April 7, 2017 at 08:54:35, Justin Leet (justinjl...@gmail.com) wrote: My understanding of Grok vs Java is to provide a tradeoff for ease of implementation vs performance (plus Java can also handle parsing that would be too complicated for Grok. Grok is less performant and handles less complex parsing, but it's easy to get things going and potentially maintained without writing and compiling Java. The Java implementation will be better for performance and can handle more complicated parsing Grok can't. I believe the preference has generally been for Grok parsers if appropriate, otherwise Java parsers. Justin On Fri, Apr 7, 2017 at 8:09 AM, Ali Nazemian <alinazem...@gmail.com> wrote: > Hi Mark, > > Yeah, that would be great. Can you please specify which devices you have > developed so far? > > Cheers, > Ali > > On Fri, Apr 7, 2017 at 4:10 PM, Mark De Rijk <me.der...@gmail.com> wrote: > > > Dear all, > > > > I am a heavy arcsight user and I have written quite a few parsers over > > time. > > I am new to contributing to open source projects however. > > @Ali, would you like to cooperate on development of some parsers? > > > > Kind Regards, > > Mark de Rijk > > > > > > > On 7 Apr 2017, at 04:30, Ali Nazemian <alinazem...@gmail.com> wrote: > > > > > > Hi all, > > > > > > We are going to develop some parsers and have some contribution to the > > > community as a start point. I was wondering what the reason is behind > > > choosing Grok statements for some of the implementations and Java regex > > for > > > other ones? Is there any policy for that? Probably it would be better > to > > > have the Java regex implementation due to performance concerns. > However, > > I > > > am sure there is a reason that some of them have been implemented with > > > using Grok statements. > > > > > > Regards, > > > Ali > > > > > > -- > A.Nazemian >
