I have to parse large volumes of syslog data collected in splunk in different indexes. Seems splunk can be configured in different ways to collect syslog data <https://docs.splunk.com/Documentation/Splunk/7.2.0/Data/HowSplunkEnterprisehandlessyslogdata>. I have a custom written regex parser. I am planning to use regex ( Single pass ) to separate out message and header and use parser chaining to parse message content using csv/ regex itself according to the message format. In terms of performance considering heavy traffic ( 3 TB/day ) any problem with this approach ? I could see existing syslog5424 <https://github.com/palindromicity/simple-syslog-5424/> uses antlr4 instead of regex. Any advantage for this in terms of performance ?
-- Muhammed Irshad K T Senior Software Engineer +919447946359 [email protected] Skype : muhammed.irshad.k.t
