-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add GC fileset to Elasticsearch Filebeat module #7305
Changes from 6 commits
436cfda
8a6a490
9ebdfdc
58bfa6a
38d8019
9c22f7b
0b34e27
7ef15e2
f44c05c
60928c1
6a87fe9
510135a
38ac956
e801e98
fb1e284
9e1bdde
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Large diffs are not rendered by default.
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
- name: gc | ||
type: group | ||
description: > | ||
Contains fields for the Elasticsearch JVM garbage collection logs. | ||
fields: | ||
- name: message | ||
type: text | ||
description: > | ||
Original GC log message. |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
type: log | ||
paths: | ||
{{ range $i, $path := .paths }} | ||
- {{$path}} | ||
{{ end }} | ||
exclude_files: [".gz$"] | ||
multiline: | ||
pattern: '^[0-9]{4}-[0-9]{2}-[0-9]{2}' | ||
negate: true | ||
match: after | ||
|
||
fields: | ||
service.name: "elasticsearch" | ||
|
||
fields_under_root: true |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,37 @@ | ||
{ | ||
"description": "Pipeline for parsing Elasticsearch JVM garbage collection logs", | ||
"processors": [ | ||
{ | ||
"grok": { | ||
"field": "message", | ||
"patterns": [ | ||
"%{TIMESTAMP_ISO8601:timestamp}", | ||
"%{GREEDYMULTILINE:elasticsearch.gc.message}" | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I would suggest to put this under just There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I think the missing |
||
], | ||
"pattern_definitions": { | ||
"GREEDYMULTILINE": "(.|\n)*" | ||
} | ||
} | ||
}, | ||
{ | ||
"rename": { | ||
"field": "@timestamp", | ||
"target_field": "event.created" | ||
} | ||
}, | ||
{ | ||
"rename": { | ||
"field": "timestamp", | ||
"target_field": "@timestamp" | ||
} | ||
} | ||
], | ||
"on_failure": [ | ||
{ | ||
"set": { | ||
"field": "error.message", | ||
"value": "{{ _ingest.on_failure_message }}" | ||
} | ||
} | ||
] | ||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
module_version: 1.0 | ||
|
||
var: | ||
- name: paths | ||
default: | ||
- /var/log/elasticsearch/gc.log.[0-9]* | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. What is the name of the first log? If it is called There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. GC logs are weird. In ES
When Elasticsearch is started for the first time without any GC logs, the first one is named
On this system, the active file is There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Got it, then the pattern makes sense. |
||
os.darwin: [] | ||
os.windows: [] | ||
|
||
ingest_pipeline: ingest/pipeline.json | ||
input: config/gc.yml |
Large diffs are not rendered by default.
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
2018-06-11T02:00:11.097+0000: 1396558.467: [GC (Allocation Failure) 2018-06-11T02:00:11.097+0000: 1396558.467: [ParNew | ||
Desired survivor size 8716288 bytes, new threshold 6 (max 6) | ||
- age 1: 1142528 bytes, 1142528 total | ||
: 153138K->12252K(153344K), 0.0077785 secs] 680068K->540560K(1031552K), 0.0078609 secs] [Times: user=0.02 sys=0.00, real=0.01 secs] |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
[ | ||
{ | ||
"_index": "filebeat-7.0.0-alpha1-2018.06.13", | ||
"_type": "doc", | ||
"_id": "QgKh-WMBTsDQhtAzVH5V", | ||
"_score": 1, | ||
"_source": { | ||
"offset": 226, | ||
"prospector": { | ||
"type": "log" | ||
}, | ||
"source": "/Users/jbryan/es/filebeat/snapshot/filebeat-7.0.0-alpha1-SNAPSHOT-darwin-x86_64/test.log", | ||
"message": "2018-06-11T02:00:11.097+0000: 1396558.467: [GC (Allocation Failure) 2018-06-11T02:00:11.097+0000: 1396558.467: [ParNew\nDesired survivor size 8716288 bytes, new threshold 6 (max 6)\n- age 1: 1142528 bytes, 1142528 total", | ||
"input": { | ||
"type": "log" | ||
}, | ||
"@timestamp": "2018-06-11T02:00:11.097+0000", | ||
"service": { | ||
"name": "elasticsearch" | ||
}, | ||
"beat": { | ||
"hostname": "peanut.lan", | ||
"name": "peanut.lan", | ||
"version": "7.0.0-alpha1" | ||
}, | ||
"host": { | ||
"name": "peanut.lan" | ||
}, | ||
"event": { | ||
"created": "2018-06-13T14:51:23.265Z" | ||
} | ||
} | ||
} | ||
] |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,2 +1,4 @@ | ||
dashboards: | ||
|
||
- id: Filebeat-elasticsearch-gc-Dashboard | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This should be removed as there are no dashboards yet. |
||
file: Filebeat-elasticsearch-gc.json |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Here the indentation seems to be off
fields
andfields_under_root
is probably not applying because of this.