stackoom
  简体   繁体   中英

How to push logs to elasticsearch in filebeat instantly?

 原文  2020-02-10 10:50:02       elasticsearch/ filebeat

Question

hear is my filebeat.yml

filebeat.inputs:
- type: log
  enabled: true
  paths:
    - ../typescript/rate-limit-test/logs/*.log
  json.message_key: "message"
  json.keys_under_root: true
  json.overwrite_keys: true
  scan_frequency: 1s

filebeat.config.modules:
  path: ${path.config}/modules.d/*.yml
  reload.enabled: false

setup.template.settings:
  index.number_of_shards: 1

logging.level: debug

output.elasticsearch:
  hosts: ["34.97.108.113:9200"]
  index: "filebeat-%{+yyyy-MM-dd}"
setup.template:
  name: 'filebeat'
  pattern: 'filebeat-*'
  enabled: true
setup.template.overwrite: true
setup.template.append_fields:
- name: time
  type: date

processors:
  - drop_fields:
      fields: ["agent","host","ecs","input","log"]

setup.ilm.enabled: false`

I changed scan_frequncy but elasticsearch couldn't get logs faster

How can i get logs in elasticsearch instantly?

Please help me..

1 answers

solution1
 1 ACCPTED  2020-02-10 15:25:31

There will be never an 'instantly' available logline in elasticsearch. The file needs to be watched for a considerable amount of changes or time, then the newly added lines need to be sent to elasticsearch in a bulk request and indexed into the appropriate shard on the correct cluster node. Network latency, TLS, authentification + authorization, concurrent write/search load: all the things affects the 'instantly' experience.

The speed of log ingestion and NRT (near-real-time search) depends on many factors and configuration options in elasticsearch and filebeat.

Regarding tuning elasticsearch for indexing speed, have a look at this documentation , and apply what you have missed yet. A brief overview:

  • Disable swapping and enable memory locking ( bootstrap.memory_lock: true )
  • Consider reducing index.refresh_interval (defaults to 1s) for the index in order to have the docs flushed more often (produces more IO in the cluster)

For Filebeat, there is also good documentation about tuning , but in general, I see the following options:

  • Try different output.elasticsarch.bulk_max_size values (defaults to a batch size of 50) and monitor the ingestion speed. For each cluster configuration, there are different optimal settings.
  • In high load scenarios, when the logs are written fast, consider increasing the number of workers output.elasticsarch.workers (defaults to 1)
  • In the opposite scenario, having just a few log lines being written, consider increasing the close_inactive and scan_frequency value for the harvester. Specifying a more suitable backoff will have an effect on how aggressively Filebeat checks files for updates.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Filebeat not pushing logs to Elasticsearch filebeat json logs to elasticsearch max size What is the use of FileBeat while parsing logs in Elasticsearch How to store logs in Elasticsearch without using any log shipper like Filebeat or Logstash? How can I store the logs that are generated using log4j into Elasticsearch using filebeat? How to set up elasticsearch and filebeat Filebeat 6.7.0 not pushing logs to Elasticsearch 6.7.0 after upgrade Why reinstalled Filebeat knows previous logs were already loaded to Elasticsearch Does filebeat add metadata while sending logs to elasticsearch? Filebeat can't send logs after Elasticsearch cluster failure
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM