Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Filebeat] Inefficient Grok expression in Postgresql module causes Cluster to Stop Responding #7201

Closed
gingerwizard opened this issue May 29, 2018 · 0 comments
Closed

[Filebeat] Inefficient Grok expression in Postgresql module causes Cluster to Stop Responding #7201

gingerwizard opened this issue May 29, 2018 · 0 comments
Assignees
@ph
Labels
bug Filebeat Filebeat module

Comments

@gingerwizard
Copy link

  • Version: 6.2.4
  • Operating System: Linux k8 on GCP
  • postgresql - 9.6.2

The postgresql module for filebeat contains a grok expression for parsing the log lines https://github.com/elastic/beats/blob/master/filebeat/module/postgresql/log/ingest/pipeline.json#L8-L13

This expression works but is extremely inefficient. Even on moderate loads (100 docs/sec) the indexing latency increases and causes the ES queue to fill - thus preventing any indexing on the cluster. ES hot_threads highlight the hot spot:

97.4% (486.9ms out of 500ms) cpu usage by thread 'elasticsearch[instance-0000000005][bulk][T#1]'
     3/10 snapshots sharing following 16 elements
       org.joni.ByteCodeMachine.matchAt(ByteCodeMachine.java:203)
       org.joni.Matcher.matchCheck(Matcher.java:304)
       org.joni.Matcher.searchInterruptible(Matcher.java:457)
       org.joni.Matcher.search(Matcher.java:318)
       org.elasticsearch.ingest.common.Grok.captures(Grok.java:206)
       org.elasticsearch.ingest.common.GrokProcessor.execute(GrokProcessor.java:65)
       org.elasticsearch.ingest.CompoundProcessor.execute(CompoundProcessor.java:100)

Testing indicates the https://github.com/elastic/beats/blob/master/filebeat/module/postgresql/log/ingest/pipeline.json#L18
is responsible.

On Postgresql 9.6.2 this isn't actually necessary and the following is sufficient.

{
          "grok": {
            "field": "message",
            "ignore_missing": true,
            "patterns": [
              "^%{LOCALDATETIME:postgresql.log.timestamp} %{WORD:postgresql.log.timezone} \\[%{NUMBER:postgresql.log.thread_id}\\] %{USERNAME:postgresql.log.user}@%{HOSTNAME:postgresql.log.database} %{WORD:postgresql.log.level}:  duration: %{NUMBER:postgresql.log.duration} ms  statement: %{GREEDYDATA:postgresql.log.query}",
              "^%{LOCALDATETIME:postgresql.log.timestamp} %{WORD:postgresql.log.timezone} \\[%{NUMBER:postgresql.log.thread_id}\\] \\[%{USERNAME:postgresql.log.user}\\]@\\[%{HOSTNAME:postgresql.log.database}\\] %{WORD:postgresql.log.level}:  duration: %{NUMBER:postgresql.log.duration} ms  statement: %{GREEDYDATA:postgresql.log.query}",
              "^%{LOCALDATETIME:postgresql.log.timestamp} %{WORD:postgresql.log.timezone} \\[%{NUMBER:postgresql.log.thread_id}\\] %{USERNAME:postgresql.log.user}@%{HOSTNAME:postgresql.log.database} %{WORD:postgresql.log.level}:  ?%{GREEDYDATA:postgresql.log.message}",
              "^%{LOCALDATETIME:postgresql.log.timestamp} %{WORD:postgresql.log.timezone} \\[%{NUMBER:postgresql.log.thread_id}\\] \\[%{USERNAME:postgresql.log.user}\\]@\\[%{HOSTNAME:postgresql.log.database}\\] %{WORD:postgresql.log.level}:  ?%{GREEDYDATA:postgresql.log.message}",
              "^%{LOCALDATETIME:postgresql.log.timestamp} %{WORD:postgresql.log.timezone} \\[%{NUMBER:postgresql.log.thread_id}\\] %{WORD:postgresql.log.level}:  ?%{GREEDYDATA:postgresql.log.message}"
            ],
            "pattern_definitions": {
              "LOCALDATETIME": "[-0-9]+ %{TIME}"
            }
          }
        }

I believe the above can be further refactored - possibly to a single expression. @ph for further action
@ph ph added Filebeat Filebeat module labels May 29, 2018
@ph ph self-assigned this May 29, 2018
@ph ph added the bug label May 29, 2018
@ph ph mentioned this issue Jun 5, 2018
Merged
ph added a commit to ph/beats that referenced this issue Jun 5, 2018
@ph
Optimize postgresql ingest pipeline
3385072 
The postgresql ingest pipeline was not performing so well.
This PR use the following rules to improve the situation.

- Anchor the Regular expression at the begining of the string.
- Merge the multiple statements into a single RE
- Do not use back reference for user/host delimiter.

Fixes: elastic#7201
ruflin pushed a commit that referenced this issue Jun 12, 2018
@ph @ruflin
Optimize postgresql ingest pipeline (#7269)
4a41587 
The postgresql ingest pipeline was not performing so well.
This PR use the following rules to improve the situation.

- Anchor the Regular expression at the begining of the string.
- Merge the multiple statements into a single RE
- Do not use back reference for user/host delimiter.

Fixes: #7201

## Note to reviewers:

Master branch to ingest 18 documents 26ms, this PR 11 ms.
Not I did not use dissect, since there are variations in the tokens.
@ph ph mentioned this issue Jun 15, 2018
Merged
ph added a commit to ph/beats that referenced this issue Jun 15, 2018
@ph
Optimize postgresql ingest pipeline (elastic#7269)
4a31e8b 
The postgresql ingest pipeline was not performing so well.
This PR use the following rules to improve the situation.

- Anchor the Regular expression at the begining of the string.
- Merge the multiple statements into a single RE
- Do not use back reference for user/host delimiter.

Fixes: elastic#7201

Master branch to ingest 18 documents 26ms, this PR 11 ms.
Not I did not use dissect, since there are variations in the tokens.

(cherry picked from commit 4a41587)
ruflin pushed a commit that referenced this issue Jun 18, 2018
@ph @ruflin
Optimize postgresql ingest pipeline (#7269) (#7344)
385cbb7 
The postgresql ingest pipeline was not performing so well.
This PR use the following rules to improve the situation.

- Anchor the Regular expression at the begining of the string.
- Merge the multiple statements into a single RE
- Do not use back reference for user/host delimiter.

Fixes: #7201

Master branch to ingest 18 documents 26ms, this PR 11 ms.
Not I did not use dissect, since there are variations in the tokens.

(cherry picked from commit 4a41587)
leweafan pushed a commit to leweafan/beats that referenced this issue Apr 28, 2023
@ph @ruflin
Optimize postgresql ingest pipeline (elastic#7269) (elastic#7344)
8268e89 
The postgresql ingest pipeline was not performing so well.
This PR use the following rules to improve the situation.

- Anchor the Regular expression at the begining of the string.
- Merge the multiple statements into a single RE
- Do not use back reference for user/host delimiter.

Fixes: elastic#7201

Master branch to ingest 18 documents 26ms, this PR 11 ms.
Not I did not use dissect, since there are variations in the tokens.

(cherry picked from commit e801aaa)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ph ph

Labels
bug Filebeat Filebeat module
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ph @gingerwizard