I want to parse a log file containing several line in the same format.
My log files are about 50mb each (350k lines) so i need something
quite fast. The current (and fastest) solution i came up with is using
StringScanner.
I save what i get into variables and then pass them all into a Struct
i created. Each new struct is then passed into an Array that holds all
structs.
Here’s my test code:
require ‘strscan’
a = “1140908573.050732 rule 19/0(match): pass unkn(255) on sis1:
80.202.226.15.50000 > 192.168.0.6.52525: UDP, length 64”
s = StringScanner.new(a)
time = s.scan(/\d+.\d+/)
s.pos += 23
rule_no = s.scan(/\d+/)
s.skip(/[\d\D]*?\s/)
stat = s.scan(/\w+/)
s.skip(/.*on\s/)
interface = s.scan(/\w+:/)
s.skip(/\D+?\s/)
out_ip = s.scan(/(\d+.){3}\d{0,3}/)
s.pos += 1
out_port = s.scan(/\d+/)
s.skip(/\D+/)
in_ip = s.scan(/(\d+.){3}\d{0,3}/)
s.pos += 1
in_port = s.scan(/\d+/)
s.pos += 2
proto = s.scan(/\w+/)
proto
s.pos += 1
Running that on a 10k times loop it takes about 0.6 seconds to
complete. Is there a better/faster way on doing it?
i created. Each new struct is then passed into an Array that holds all
s = StringScanner.new(a)
out_port = s.scan(/\d+/)
complete. Is there a better/faster way on doing it?
knowledge is important, but the much more important is the use toward which it
is put. this depends on the heart and mine the one who uses it.
h.h. the 14th dali lama
I’m sorry, the log file i have comes from a live firewall. I’d rather
not release it.
The log is only consisted by several line such as the one i used in the
code.
OK, so first off, your sample implementation seemed to have several
bugs in it. After fixing those, I thought you might be able to save
some time by glomming all the regexp’s together, obviating the need
for StringScanner altogether. However, that doesn’t seem to have
actually made any difference… if anything it seems to have been a
little slower. I don’t know why. And the great big long Regexp is
considerably harder to read.
I tried to optimize some of your patterns to eliminate backtracking,
use noncapturing parens, etc. That also didn’t seem to help much. So,
it looks like (sans bugs) your code is pretty much optimal. I’m
including my version below in case it might be useful anyway.
Some notes:
I got rid of silly stuff like \D+? after the interface name, since it
doesn’t seem necessary. (It’s not needed for the one line of data you
provided, anyway.)
The ip addresses will now both end with “.”. So, chop it off if that’s
a problem.
Looks like you inverted the source and destination address/port
fields? I didn’t fix that…
require ‘strscan’
a = “1140908573.050732 rule 19/0(match): pass unkn(255) on sis1:
80.202.226.15.50000 > 192.168.0.6.52525: UDP, length 64”
10000.times do
s = StringScanner.new(a)
time = s.scan(/\d+.\d+/)
s.pos = 23
rule_no = s.scan(/\d+/)
s.skip(/\S+\s/)
stat = s.scan(/\w+/)
s.skip(/\s\S+\son\s/)
interface = s.scan(/\w+:/)
s.skip(/\s/)
out_ip = s.scan(/(?:\d+.){4}/)
out_port = s.scan(/\d+/)
s.skip(/ > /)
in_ip = s.scan(/(?:\d+.){4}/)
in_port = s.scan(/\d+/)
s.pos += 2
proto = s.scan(/\w+/)
end
OK, so first off, your sample implementation seemed to have several
bugs in it. After fixing those, I thought you might be able to save
some time by glomming all the regexp’s together, obviating the need
for StringScanner altogether. However, that doesn’t seem to have
actually made any difference…
I don’t buy this. A single plain RX is usually faster than a more
complex
solution. Even on a machine with constant high load (I had no different
available at the moment) I get a significant difference (north of 6%):