Running cscli explain --log 'single line' --type syslog here takes almost 4 seconds, which is rather annoying when testing it and I wonder if it’s normal for it to take that long?
I’ve tried adding --trace to the command line to see if I can gather some more information about it, but it just outputs
DEBU[09-09-2024 16:47:23] Patching yaml: '/etc/crowdsec/config.yaml' with '/etc/crowdsec/config.yaml.local'
DEBU[09-09-2024 16:47:23] Using /etc/crowdsec/config.yaml as configuration file
immediately before hanging for 3+ seconds, so it doesn’t really help to understand what is going on.
It can be depending on how many scenarios and parsers you have plus spare compute. In the background of cscli explain it launches a separate CrowdSec program to do the processing of the log line and dump the current state to temporary file which is then re read by cscli explain to show output.
I see, thanks, I didn’t realize cscli explain launched a separate instance.
FWIW I have only 3 parsers and about a dozen scenarios, but I do see that crowdsec startup or restart takes quite a bit of time (admittedly, this is on a machine with a pretty old i7 CPU).
I wish there were a faster way to test a grok expression, as it is, I’m mostly using https://grokdebugger.com/ to do it, which is less convenient than doing it in the terminal, but much faster.
Yeah even I use grokdebugger mostly when it seems to be failing or I cant figure out why… we also did create our own which includes all of the default patterns:
but the UI is made by an engineer so it has alot of functionality just not as pretty