ELK堆栈用于存储计量数据

Question

In our project we're using an ELK stack for storing logs in a centralized place. However I've noticed that recent versions of ElasticSearch support various aggregations. In addition Kibana 4 supports nice graphical ways to build graphs. Even recent versions of grafana can now work with Elastic Search 2 datasource.

So, does all this mean that ELK stack can now be used for storing metering information gathered inside the system or it still cannot be considered as a serious competitor to existing solutions: graphite, influx db and so forth. If so, does anyone use ELK for metering in production? Could you please share your experience?

Just to clarify the notions, I consider metering data as something that can be aggregated and and show in a graph 'over time' as opposed to regular log message where the main use case is searching.

Thanks a lot in advance

Answer 1

Yes you can use Elasticsearch to store and analyze time-series data.

To be more precise - it depends on your use case . For example in my use case (financial instrument price tick history data, in development ) I am able to get 40.000 documents inserted / sec ( ~125 byte documents with 11 fields each - 1 timestamp, strings and decimals, meaning 5MB/s of useful data ) for 14 hrs/day , on a single node (big modern server with 192GB ram) backed by corporate SAN (which is backed by spinning disks , not SSD!). I went to store up to 1TB of data , but I predict having 2-4TB could also work on a single node.

All this is with default config file settings , except for the ES_HEAP_SIZE of 30GB. I am suspecting it would be possible to get significantly better write performance on that hardware with some tuning (eg. I find it strange that iostat reports device util at 25-30% as if Elastic was capping it / conserving i/o bandwith for reads or merges... but it could also be that the %util is an unrealiable metric for SAN devices..)

Query performance is also fine - queries / Kibana graphs return quick as long as you restrict the result dataset with time and/or other fields.

In this case you would not be using Logstash to load your data , but bulk inserts of big batches directly into the Elasticsearch. https://www.elastic.co/guide/en/elasticsearch/reference/current/docs-bulk.html

You also need to define a mapping https://www.elastic.co/guide/en/elasticsearch/reference/current/mapping.html to make sure elastic parses your data as you want it (numbers, dates, etc..) creates the wanted level of indexing, etc..

Other recommended practices for this use case are to use a separate index for each day (or month/week depending on your insert rate), and make sure that index is created with just enough shards to hold 1 day of data (by default new indexes get created with 5 shards, and performance of shards starts degrading after a shard grows over a certain size - usually few tens of GB, but it might differ for your use case - you need to measure/experiment).

Using Elasticsearch aliases https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-aliases.html helps with dealing with multiple indexes, and is a generally recommended best practice.