11 Optimizing for regular expressions at scale

 

This chapter covers

  • Knowing where regular expressions are used in telemetry
  • Optimizing your regular-expression use
  • Changing your emissions to speed regular expressions

The best way to optimize regular expressions (regexes) at scale is to not use regular expressions. But the telemetry tooling we have available sometimes doesn’t give us the option of avoiding regular expressions, and we have to deal with them anyway. This chapter is about making the regexes you must use perform the best they can. Much like programming, regexes are used for two reasons in a telemetry pipeline:

  • Control program flow—If a string matches a regex, do something, such as attempt parsing a certain way.
  • Extract fields from strings—Using regex, you can capture expressions to add fields to telemetry being processed, known as enrichment. (See chapter 6 for more on enrichment in general.)

11.1 Anchoring expressions for speed

11.2 Building expressions to fail fast

11.3 Digging into the Cisco ASA firewall telemetry

11.4 Refining emissions to speed regular-expression performance

11.5 Additional regular-expression resources

Summary