A presentation given at multiple meetups and training sessions highlighting some of the new features of Elasticsearch 2.0, Logstash 2.0, Kibana 4.x, and Beats 1.0.
permission is strictly prohibited 2 About Elastic • Founded: July 2012 • Renamed Elasticsearch → Elastic: March 2015 • Headquarters: Amsterdam and Mountain View, CA • Develops Elasticsearch, Logstash, Kibana, Beats • Provides: • Training (public and onsite) • Development and production support • Hosted Elasticsearch (Found) • Commercial plugins: Marvel, Shield, Watcher
permission is strictly prohibited 3 Elastic Product Family Kibana Visualize and explore data Elasticsearch Store, search, analyze Logstash Beats ES-Hadoop Collect, parse and enrich data Marvel Monitor and manage Shield Secure and protect Found Elasticsearch as a Service Open Source Products Commercial Products Training Professional Services Support Subscriptions BUILT FOR TODAY’S SCALABLE, DISTRIBUTED SYSTEMS Watcher Monitor and Notify
permission is strictly prohibited 5 Four Main Themes in 2.0 • Simplification • Removing, deprecating features • Query DSL / Doc improvements • Security • Always high on customer wish lists • Resiliency • Started in 1.x, but ongoing • Features • pipeline aggs • Compression
permission is strictly prohibited 8 Removed Entirely • Rivers - use logstash or create your own ingestion layer • Facets - replaced by aggregations • _shutdown API - use platform specific services • Support for Thrift and Memcached protocols • Bulk UDP - use the standard bulk API, or use UDP to send documents to Logstash first.
permission is strictly prohibited 9 Moved to Plugins • Delete by query • Problematic, not a "core" feature • Types: • murmur3 • _size • Multicast discovery • Unicast was always recommended in production
permission is strictly prohibited 10 Mappings • Conflicting field mappings • Fields cannot be referenced by short name • Type name prefix removed • Field names cannot contain dots • Type names cannot start with a dot • Type may no longer be deleted • index_analyzer is removed • _analyzer field is removed • date format changes • ... and more ...
permission is strictly prohibited 14 Analyzer Mappings PUT my_index { "mappings": { "my_type": { "properties": { "title": { "type": "string", "analyzer": "my_analyzer } } } } } There are some changes in how field-specific analyzers are now set. This format, which sets both search and index analyzers, is still acceptable in 2.0.
permission is strictly prohibited 16 Query and Filter Execution Changes • Before 2.0 • Queries: • Typically contribute to scoring • No caching • Filters: • Don't contribute to scoring • Can be cached
permission is strictly prohibited 18 Query and Filter Execution Changes • Approximation phase • quickly iterates over a superset of the matching documents • Verification phase • check if a document in this superset actually matches the query Two-Phase Query Execution
permission is strictly prohibited 20 Query and Filter Execution Changes • Fully automatic • Keeps track of 256 most recently used queries • Only caches those that appear 5 times or more • Does not cache segments which have less than 10000 documents or 3% of the documents of the index • More efficient query cache (roaring bitmaps) • Non-scoring components are cache-able Query Caching
permission is strictly prohibited 22 Security Enhancements • Elasticsearch now binds to local interfaces ONLY • Unicast discovery is now the default • Makes Elasticsearch more secure by default • Protects Elasticsearch in the wild (don't do that!) • Security Manager • Prevents outside access outside of Elasticsearch even if Elasticsearch process is compromised • All resources that Elasticsearch can access are defined on node startup
permission is strictly prohibited 24 Durability of Transaction Log • Before 2.0 transaction log was fsynced every 5 sec • Transaction log is now fsynced after each operation • Configurable • On SSDs indexing is about 7% - 10% slower with bulk indexing compared to async translog flushes Index operations are now durable by default!
permission is strictly prohibited 28 Cluster State Diffs • Before 2.0, the entire cluster state was shipped on every change to every node • Starting with 2.0 only changes are sent • This can be a massive improvement on clusters with large cluster states! • Thanks, Igor!
permission is strictly prohibited 30 Doc Values by Default • Fielddata was a common culprit in OOMs • Doc Values: Lucene data structure (disk-based) • Dramatic heap memory reduction by default • Values for sorting, aggs, etc are moved onto disk • Let the OS deal with it! • Indexed, not_analyzed fields now use doc values • Only for indices created with 2.0 • Reindex required for older data
permission is strictly prohibited 34 Index Compression • 10-30% reduction in index size • Some indexing/merging impact • Dynamic setting - could be set before optimization for time-based indices
permission is strictly prohibited 35 Upgrading to Elasticsearch 2.0 • Major Version Upgrade!!! • No rolling upgrades • One way - no way to downgrade back to 1.x • Take Snapshot (and test restore) before proceeding • Test! Test! Test! • Use the Migration plugin • Site plugin for 1.x that checks for potential issues • https://github.com/elastic/elasticsearch-migration
permission is strictly prohibited 39 Kibana 4.0 • Complete re-write of Kibana • Separate Tasks • Drag and Drop • Re-usable components • Using D3 Javascript visualization library • NodeJS backend server (rather than client-side) • Leverages Elasticsearch aggregations • Multi-dimensional visualizations • Plug-in architecture for "Kibana apps" • Export to CSV • Many more!
permission is strictly prohibited 46 Kibana 3 -> Kibana 4 Migration Tips • Kibana 3 to Kibana 4 (Kibana 3 EOL is Nov 2015) • Embedded web server • Platform-specific installation packages • Performance improvements • Dashboards will not be migrated • Some panel types not available, yet • Kibana 4 to Kibana 4.2 • Support for Elasticsearch 2.x • Not backward-compatible with Elasticsearch 1.x • Dashboards are automatically migrated
permission is strictly prohibited 48 Beats Update • More Packetbeat protocols • MongoDB • DNS • Memcache • More Beats • Topbeat: Shipper for CPU, memory, process resource metrics • Improved platform support • Windows support (e.g. self-contained installer) • Developer guides • Building Beats • Building Packetbeat protocol modules