On Wed, 28 Jan 2015, Kendall Green wrote:
But I understand the number of combinations / per rule in a rulebase, would
affect performance.
This is actually not the case (at least unless you use regex types)
This is the power of liblognorm and why it isn't just a 'typical' regex engine
liblognormcompiles the ruleset into a parse three. With that parse tree,
processing a message is (alost*) as simple as 'start at the beginning of the log
message, look at the first character and pick what branch to take, look at the
next character ans pick what branch to take... hit the end of the string or the
tree and you have finished parsing the message
so it doesn't matter if a ruleset has 10 entries or 10000 entries, the time
taken to process a log message against it is the same, how long it takes to walk
the length of the message.
David Lang
* The almost is because the fact that you are gathering data into tags mean that
there is a timeframe when you may be dealing with two branches of the tree, one
where the data is part of a tag, and one where it's a constant. And the
subtleties of this are why it's so useful to have this as a library.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
