On Wed, 23 Nov 2016, [email protected] wrote:

The ugly way to do this would be a series of

if $programname = "group/appX" then set $.owner = "\"group\":\"group\","\"unit\":\"unit\",\"app\":\"appX\",";

do having multiple templates affect performance? (what I really noticed it's they affect loading time!)

not really, but we haven't had anyone experiment with thousands of them, so it's possible, but unlikely that there would be a measureable slowdown as rsyslog finds the right one to use.

The bigger overhead is in interpreting the template, that's where simplifying it to be $! or $!foo would be a big win (or writing a string module)


a far more elegant way to do this would be to do a table lookup on the programname and have it return the string.
I have readed about how lookup tables can be used for geoIP. Could you provide a link to doc where there's an example?

there isn't a good writeup, but if you read on how to use the maxmind database, the perl example has you create an array where the first element is the decimal equivalent of the first IP address that matches the data.

This is exactly the structure that a sparse array lookup table is intended for. I beleive there is a function that will take an IPv4 address and return a decimal number (if not, we need to add one). Use that function to create a number, lookup the number in the lookup table, and have it return the data.

you can also simplify the template a bit. Instead of crafting the json in the template, create a variable that has what you want in/under it and output that variable. but compared to collapsing all the templates together, that's a minor change :-)

one variable for each file and one template which use it, isnt it?

$!foo!bar = "abc" maps to {"foo": { "bar": "abc" } } in json and if you put %$!foo% in a template, what you will get is '{ "bar": "abc" }'

so where you had group, unit, app, msg, and a couple other things, and then combined them with {}," into a json string, you could instead do

set $!foo!group = "A";
set $!foo!unit = "b";
set $!foo!msg = $!msg;
...

and then replace all that hard-to-read json construction in the template with $!foo


I question the value of having a separate sending queue for each app. I think it's better to send them in one combined firehose and split them on the receiving side. It makes it less disruptive when you find you want to change the groupings of things and all those queues on the sender can eat up a lot of ram.

Probably this is because i came from redis.

That's what I'm thinking. With logstash you are forced to use something external for queueing and lots of separate instances (and separate parser sets) or things just don't work well.

With rsyslog, the performance is 100-1000x as fast, and a lot of the stuff is built-in, so you don't need to split things up as much, and the reduction in the communications overhead adds to your wins.

Talking about elastic, probably ingest node would be the best option, while having index name as metadata.

There are two approaches, and I haven't tried them under fire on a ES cluster to know which is the best.

dedicate a node to ingest the data

spread the traffic across many different nodes and have a local copy of rsyslog receive the data and push it into the local ES instance.

I suspect that properly managed, a dedicated injest node will be a win.

David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Reply via email to