Skip to content

Ingest structured ES slow logs#10447

Merged
ycombinator merged 3 commits intoelastic:masterfrom
ycombinator:fb-es-slowlog-structured
Feb 1, 2019
Merged

Ingest structured ES slow logs#10447
ycombinator merged 3 commits intoelastic:masterfrom
ycombinator:fb-es-slowlog-structured

Conversation

@ycombinator
Copy link
Contributor

@ycombinator ycombinator commented Jan 31, 2019

This PR teaches the elasticsearch/slowlog fileset to ingest structured Elasticsearch search and indexing slow logs.

This PR takes the same approach as #10352, in that it creates an entrypoint pipeline, pipeline.json, that delegates further processing of a log entry depending on what it sees as the first character of the entry:

  • If the first character is {, it assumes the log line is structured as JSON and delegates further processing to pipeline-json.json.
  • Else, it assumes the log line is plaintext and delegates further processing to pipeline-plaintext.json.

@ycombinator ycombinator requested review from a team as code owners January 31, 2019 02:00
@elasticmachine
Copy link
Contributor

elasticmachine commented Jan 31, 2019

Pinging @elastic/stack-monitoring

@cachedout
Copy link
Contributor

cachedout commented Jan 31, 2019

Looking good so far!

@ycombinator ycombinator changed the title [WIP] Ingest structured ES slow logs Ingest structured ES slow logs Feb 1, 2019
@ycombinator ycombinator added review and removed in progress Pull request is currently in progress. labels Feb 1, 2019
ruflin
ruflin approved these changes Feb 1, 2019
View reviewed changes
filebeat/module/elasticsearch/slowlog/ingest/pipeline-json.json Outdated
Copy link
Contributor

@ruflin ruflin Feb 1, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Kind of odd that we need 2 steps here, but well.

Copy link
Contributor Author

@ycombinator ycombinator Feb 1, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agreed. This will help: elastic/elasticsearch#36950.

filebeat/module/elasticsearch/slowlog/config/slowlog.yml Outdated
Copy link
Contributor

@ruflin ruflin Feb 1, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is kind of interesting. In the event for json it's not a multiline anymore but here we still need the multiline config 🤔

Good for now, jus thought I mention it.

@ycombinator ycombinator merged commit b3f0c31 into elastic:master Feb 1, 2019
@ycombinator ycombinator deleted the fb-es-slowlog-structured branch February 1, 2019 21:28
@klacabane klacabane mentioned this pull request Apr 21, 2023
Closed
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cachedout cachedout cachedout approved these changes

@ruflin ruflin ruflin approved these changes

Assignees

No one assigned

Labels

enhancement Feature:Stack Monitoring Filebeat Filebeat module review v7.0.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@ycombinator @elasticmachine @cachedout @ruflin