Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add GC fileset to Elasticsearch Filebeat module #7305

Merged
merged 16 commits into from
Jun 18, 2018
Merged
1 change: 1 addition & 0 deletions CHANGELOG.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -188,6 +188,7 @@ https://github.com/elastic/beats/compare/v6.2.3...master[Check the HEAD diff]
- Correctly join partial log lines when using `docker` input. {pull}6967[6967]
- Add support for TLS with client authentication to the TCP input {pull}7056[7056]
- Converted part of pipeline from treafik/access metricSet to dissect to improve efficeny. {pull}7209[7209]
- Add GC fileset to the Elasticsearch module. {pull}7305[7305]

*Heartbeat*

Expand Down
17 changes: 17 additions & 0 deletions filebeat/docs/fields.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -800,6 +800,23 @@ elasticsearch Module



[float]
== gc fields

Contains fields for the Elasticsearch JVM garbage collection logs.



*`elasticsearch.gc.message`*::
+
--
type: text

Original GC log message.


--

[float]
== server fields

Expand Down
2 changes: 1 addition & 1 deletion filebeat/include/fields.go

Large diffs are not rendered by default.

9 changes: 9 additions & 0 deletions filebeat/module/elasticsearch/gc/_meta/fields.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
- name: gc
type: group
description: >
Contains fields for the Elasticsearch JVM garbage collection logs.
fields:
- name: message
type: text
description: >
Original GC log message.
15 changes: 15 additions & 0 deletions filebeat/module/elasticsearch/gc/config/gc.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
type: log
paths:
{{ range $i, $path := .paths }}
- {{$path}}
{{ end }}
exclude_files: [".gz$"]
multiline:
pattern: '^[0-9]{4}-[0-9]{2}-[0-9]{2}'
negate: true
match: after

fields:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here the indentation seems to be off fields and fields_under_root is probably not applying because of this.

service.name: "elasticsearch"

fields_under_root: true
37 changes: 37 additions & 0 deletions filebeat/module/elasticsearch/gc/ingest/pipeline.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
{
"description": "Pipeline for parsing Elasticsearch JVM garbage collection logs",
"processors": [
{
"grok": {
"field": "message",
"patterns": [
"%{TIMESTAMP_ISO8601:timestamp}",
"%{GREEDYMULTILINE:elasticsearch.gc.message}"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would suggest to put this under just message. It means we will overwrite what is in message at the moment. If we want to keep it, we could use log.message.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the missing elasticsearch.gc.message part in the expected log file is the reason CI is failing.

],
"pattern_definitions": {
"GREEDYMULTILINE": "(.|\n)*"
}
}
},
{
"rename": {
"field": "@timestamp",
"target_field": "event.created"
}
},
{
"rename": {
"field": "timestamp",
"target_field": "@timestamp"
}
}
],
"on_failure": [
{
"set": {
"field": "error.message",
"value": "{{ _ingest.on_failure_message }}"
}
}
]
}
11 changes: 11 additions & 0 deletions filebeat/module/elasticsearch/gc/manifest.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
module_version: 1.0

var:
- name: paths
default:
- /var/log/elasticsearch/gc.log.[0-9]*
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What is the name of the first log? If it is called gc.log I think the pattern will not match it.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

GC logs are weird. In ES jvm.options, the default configuration looks like this:

8:-Xloggc:/var/log/elasticsearch/gc.log

When Elasticsearch is started for the first time without any GC logs, the first one is named gc.log.0.current. When rolled over by the JVM, the file is renamed to gc.log.0 and gc.log.1.current begins. Here are files from a running cluster node:

ls -1 /var/log/elasticsearch/gc.*
/var/log/elasticsearch/gc.log.0
/var/log/elasticsearch/gc.log.0.current
/var/log/elasticsearch/gc.log.1
/var/log/elasticsearch/gc.log.2
/var/log/elasticsearch/gc.log.3
/var/log/elasticsearch/gc.log.4.current

On this system, the active file is /var/log/elasticsearch/gc.log.0.current. /var/log/elasticsearch/gc.log.4.current was left behind from a restart.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Got it, then the pattern makes sense.

os.darwin: []
os.windows: []

ingest_pipeline: ingest/pipeline.json
input: config/gc.yml
702 changes: 702 additions & 0 deletions filebeat/module/elasticsearch/gc/test/gc.log

Large diffs are not rendered by default.

4 changes: 4 additions & 0 deletions filebeat/module/elasticsearch/gc/test/test.log
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
2018-06-11T02:00:11.097+0000: 1396558.467: [GC (Allocation Failure) 2018-06-11T02:00:11.097+0000: 1396558.467: [ParNew
Desired survivor size 8716288 bytes, new threshold 6 (max 6)
- age 1: 1142528 bytes, 1142528 total
: 153138K->12252K(153344K), 0.0077785 secs] 680068K->540560K(1031552K), 0.0078609 secs] [Times: user=0.02 sys=0.00, real=0.01 secs]
34 changes: 34 additions & 0 deletions filebeat/module/elasticsearch/gc/test/test.log-expected.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
[
{
"_index": "filebeat-7.0.0-alpha1-2018.06.13",
"_type": "doc",
"_id": "QgKh-WMBTsDQhtAzVH5V",
"_score": 1,
"_source": {
"offset": 226,
"prospector": {
"type": "log"
},
"source": "/Users/jbryan/es/filebeat/snapshot/filebeat-7.0.0-alpha1-SNAPSHOT-darwin-x86_64/test.log",
"message": "2018-06-11T02:00:11.097+0000: 1396558.467: [GC (Allocation Failure) 2018-06-11T02:00:11.097+0000: 1396558.467: [ParNew\nDesired survivor size 8716288 bytes, new threshold 6 (max 6)\n- age 1: 1142528 bytes, 1142528 total",
"input": {
"type": "log"
},
"@timestamp": "2018-06-11T02:00:11.097+0000",
"service": {
"name": "elasticsearch"
},
"beat": {
"hostname": "peanut.lan",
"name": "peanut.lan",
"version": "7.0.0-alpha1"
},
"host": {
"name": "peanut.lan"
},
"event": {
"created": "2018-06-13T14:51:23.265Z"
}
}
}
]
2 changes: 2 additions & 0 deletions filebeat/module/elasticsearch/module.yml
Original file line number Diff line number Diff line change
@@ -1,2 +1,4 @@
dashboards:

- id: Filebeat-elasticsearch-gc-Dashboard
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be removed as there are no dashboards yet.

file: Filebeat-elasticsearch-gc.json