在单一节点弹性search和logstash一起,我们testing了20mb和200mb文件parsing到Elastic Search的不同types的AWS实例,即Medium,Large和Xlarge。
Logstash conf
input { file { } } filter { mutate { gsub => ["message", "\n", " "] } mutate { gsub => ["message", "\t", " "] } multiline { pattern => "^ " what => "previous" } grok { match => [ "message", "%{TIME:log_time}\|%{WORD:Message_type}\|%{GREEDYDATA:Component}\|%{NUMBER:line_number}\| %{GREEDYDATA:log_message}"] match => [ "path" , "%{GREEDYDATA}/%{GREEDYDATA:loccode}/%{GREEDYDATA:_machine}\:%{DATE:logdate}.log"] break_on_match => false } #To check location is S or L if [loccode] == "S" or [loccode] == "L" { ruby { code => " temp = event['_machine'].split('_') if !temp.nil? || !temp.empty? event['_machine'] = temp[0] end" } } mutate { add_field => ["event_timestamp", "%{@timestamp}" ] replace => [ "log_time", "%{logdate} %{log_time}" ] # Remove the 'logdate' field since we don't need it anymore. lowercase=>["loccode"] remove => "logdate" } # to get all site details (site name, city and co-ordinates) sitelocator{sitename => "loccode" datafile=>"vendor/sitelocator/SiteDetails.csv"} date { locale=>"en" match => [ "log_time", "yyyy-MM-dd HH:mm:ss", "MM-dd-yyyy HH:mm:ss.SSS","ISO8601" ] } } output { elasticsearch{ } } 环境详细信息:中型实例3.75 RAM 1个内核存储:4 GB SSD 64位networking性能:中等实例运行:Logstash,弹性search
场景:1
**With default settings** Result : 20mb logfile 23 mins Events Per/second 175 200mb logfile 3 hrs 3 mins Events Per/second 175 Added the following to settings: Java heap size : 2GB bootstrap.mlockall: true indices.fielddata.cache.size: "30%" indices.cache.filter.size: "30%" index.translog.flush_threshold_ops: 50000 indices.memory.index_buffer_size: 50% # Search thread pool threadpool.search.type: fixed threadpool.search.size: 20 threadpool.search.queue_size: 100 **With added settings** Result: 20mb logfile 22 mins Events Per/second 180 200mb logfile 3 hrs 07 mins Events Per/second 180
情景2
环境详细信息:R3大型15.25 RAM 2核存储:32 GB SSD 64位networking性能:中等实例运行:Logstash,弹性search
**With default settings** Result : 20mb logfile 7 mins Events Per/second 750 200mb logfile 65 mins Events Per/second 800 Added the following to settings: Java heap size: 7gb other parameters same as above **With added settings** Result: 20mb logfile 7 mins Events Per/second 800 200mb logfile 55 mins Events Per/second 800
情景3
环境详细信息:R3高内存超大型r3.xlarge 30.5 RAM四核存储:32 GB SSD 64位networking性能:中等实例运行:Logstash,弹性search
**With default settings** Result: 20mb logfile 7 mins Events Per/second 1200 200mb logfile 34 mins Events Per/second 1200 Added the following to settings: Java heap size: 15gb other parameters same as above **With added settings** Result: 20mb logfile 7 mins Events Per/second 1200 200mb logfile 34 mins Events Per/second 1200
我想知道
感谢任何帮助,因为我新的logstash和弹性search。
1-如果你想评论你的perf,我们需要看到你的logstash过滤configuration。
Logstash性能是filter/输出/工作者设置的混合。
更多的filter=更less的事件/秒。
如果你有logstash性能问题,一个好主意是扩大范围。 更多的工人更多的实例可以增加事件/秒的性能。 人们与发件人一起工作,并将logstash节点放在后面。
2-见1
3-有IO限制,有些节点有更多的节点。 Elasticsearch被devise成与shard / node等一起工作。
4- logstash监控目前只是进程监控。 有一些关于用javadebugging器做这件事情的线索,但你必须在logstash用户组中find信息。 对于弹性search来说,监测你的弹性search簇是令人惊叹的。
我们监视logstash的方式:
1)直接监控弹性:对ES api进行一个简单的/ info调用(如果ES停机,则调低)
2)监控弹性统计。 取决于你如何使用。 您可以查找活动(文档的数量,索引大小等)或其他在您的环境中有意义的数据。 如果您看到统计信息正在移动,则知道logstash正在成功将消息传送到ES中
3)Logstash本身:只需打它正在监听的端口。 如果端口变暗… logstash死亡/不运行。