Solved: Performance difference between using SEDCMD and ol...

DrewO · ‎12-01-2010

Is there a performance difference between using the SEDCMD syntax in just props.conf versus using the older method which uses TRANSFORMS and calls a stanza in transforms.conf using REGEX?

gkanapathy · ‎12-02-2010

For the particular case of s/one/two/ vs ^(.*?)one(.*)$ -> $1two$2, the former is possibly very slightly faster, but differences in the efficiencies of the regex used (e.g., using (.*?) vs (.*)) would probably enormously outweigh that. Note that it's actually not possible to use s/one/two/g (i.e., with the g flag) to replace multiple occurrences with TRANSFORMS.

View solution in original post

gkanapathy · ‎12-02-2010

For the particular case of s/one/two/ vs ^(.*?)one(.*)$ -> $1two$2, the former is possibly very slightly faster, but differences in the efficiencies of the regex used (e.g., using (.*?) vs (.*)) would probably enormously outweigh that. Note that it's actually not possible to use s/one/two/g (i.e., with the g flag) to replace multiple occurrences with TRANSFORMS.

DrewO · ‎12-02-2010

@Lowell yes that's what the student wanted to know. For one off replacements, like overwriting a credit card number/account code.

Lowell · ‎12-01-2010

Just to be clear, the SEDCMD and TRANSFORMS index-time transformations are not exact drop-in replacements for each other. For example, SEDCMD character substitution (like y/ABC/abc/), and repeating replacements (like s/eggs/spam/g) are things that can only be done using SEDCMD, but SEDCMD is limited to only modifying the _raw field. So in your question, I'm assuming that your are specifically asking about where these two approaches overlap (a single replace operation on the _raw field.) If this is incorrect, please update your question.

Performance difference between using SEDCMD and older REGEX/TRANSFORMS method

Splunk APM & RUM | Upcoming Planned Maintenance

Part 2: Diving Deeper With AIOps

User Groups | Upcoming Events!