Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Maximizing Logstash Performance

Aaron Mildenstein
July 14, 2017
Programming
0
270

Maximizing Logstash Performance

Presentation at OpenWest 2017, accompanied by live demonstrations at the command-line and in Kibana.

Aaron Mildenstein

July 14, 2017
Tweet

More Decks by Aaron Mildenstein

See All by Aaron Mildenstein
Building a Wrapper API
untergeek
0
130
What's new in Logstash 5.0
untergeek
0
230
Using Beats in the Elastic Stack - NLUUG
untergeek
1
270
Managing and Tuning Elasticsearch & Logstash
untergeek
1
310
Write your own Logstash plugin for fun and profit
untergeek
0
110
The Practice and Evolution of HTTP Access Monitoring
untergeek
0
74
Zabbix + Logstash Integration
untergeek
3
3.9k
Introduction to the ELK Stack
untergeek
0
200
A deeper look at the ELK Stack: Elasticsearch, Logstash & Kibana
untergeek
2
4.2k

Other Decks in Programming

See All in Programming
Java 20, 21, オブジェクト指向からデータ指向へ / Java20, 21, Object Oriented to Data Oriented
kishida
10
6.6k
From Cloud-Native Java and Quarkus 3 with Love @ DevoxxUK 2023 London
hpgrahsl
0
150
RBS meets LLMs - Type inference using LLM
kokuyouwind
0
200
From complexity to observability using OpenTelemetry
danilop
1
280
ざっくりつかむLangChainのメンタルモデル [説明欄にソースあり]
sagawa23
6
890
From 1 to 201 Lambda functions in production: Evolving a serverless startup architecture
slobodan
0
160
Multiverse Ruby
shioyama
1
2.3k
Ruby JIT Hacking Guide / RubyKaigi 2023
k0kubun
0
3.3k
The Resurrection of 
the Fast Parallel Test Runner
koic
1
1.6k
PO,SMに送るテスト自動化の8原則に5箇条を添えて / scrumniigata2023
pineapplecandy
2
670
new_urlparser.pdf
yosuke_furukawa
PRO
1
250
Modern and Lightweight Cloud Application Development with Jakarta EE 10
ivargrimstad
0
560

Featured

See All Featured
Fantastic passwords and where to find them - at NoRuKo
philnash
33
2k
How to Ace a Technical Interview
jacobian
271
22k
Code Review Best Practice
trishagee
52
12k
Into the Great Unknown - MozCon
thekraken
5
470
The Invisible Customer
myddelton
113
12k
Why You Should Never Use an ORM
jnunemaker
PRO
49
8.1k
Building a Scalable Design System with Sketch
lauravandoore
451
31k
A Philosophy of Restraint
colly
195
15k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
152
13k
Being A Developer After 40
akosma
49
580k
How to name files
jennybc
51
79k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
270
12k

Transcript

  1. Optimizing Logstash
    Performance
    There's more than one way to parse a log...

    View Slide

  2. Define the problem
    • Logstash is perceived as slow

    • No insight into performance bottlenecks

    • No idea how to gain insight

    View Slide

  3. Logstash?
    Data In Data Out

    View Slide

  4. Have no fear!
    Let's shine a light in there

    View Slide

  5. Rule #1

    View Slide

  6. –Jordan Sissel, creator of Logstash...and grok.
    “If you have to use grok, you've already lost.”

    View Slide

  7. Toolset 1
    • generator input plugin

    • dots codec

    • pipe viewer (pv)

    View Slide

  8. Generator
    input {
    generator {
    lines => [
    'line1',
    'line2',
    ...
    'lineN',
    ]
    count => 123456
    }
    }

    View Slide

  9. dots codec
    output {
    stdout {
    codec => dots
    }
    }

    View Slide

  10. pv
    -r, --rate show data transfer rate counter
    -W, --wait display nothing until first byte transferred
    $ bin/logstash -f mytest.conf | pv -Wr > /dev/null
    [42.0KiB/s]

    View Slide

  11. –No one, Ever
    “I like waiting!”

    View Slide

  12. Toolset 2
    • Elasticsearch, Logstash, & Kibana (+ X-Pack)

    • Configure Logstash to send monitoring data

    • View in Kibana

    View Slide

  13. X-Pack
    $ bin/elasticsearch-plugin install x-pack
    $ bin/kibana-plugin install x-pack
    $ bin/logstash-plugin install x-pack

    View Slide

  14. Configure Kibana
    vi config/kibana.yml
    # If your Elasticsearch is protected with basic authentication,
    # these settings provide the username and password that the
    # Kibana server uses to perform maintenance on the Kibana
    # index at startup. Your Kibana users still need to
    # authenticate with Elasticsearch, which
    # is proxied through the Kibana server.
    elasticsearch.username: "elastic"
    elasticsearch.password: "changeme"

    View Slide

  15. Configure Logstash
    vi config/logstash.yml
    # Periodically check if the configuration has changed and
    # reload the pipeline
    # This can also be triggered manually through the SIGHUP signal
    #
    config.reload.automatic: true
    xpack.monitoring.elasticsearch.url: "http://localhost:9200"
    xpack.monitoring.elasticsearch.username: elastic
    xpack.monitoring.elasticsearch.password: changeme

    View Slide

  16. Ready for Launch
    • Start Elasticsearch

    • Start Kibana

    • Navigate to Monitoring page

    View Slide

  17. Logstash is a Pipeline
    In case I neglected to mention it

    View Slide

  18. Pipeline Truths
    • At most, Logstash can only move data as fast as it comes in

    • Unless dropped or eliminated by conditional, each event will exit each
    output.

    • If a filter or output plugin is slow or blocked, the entire pipeline will back up

    • Filters will slow the pipeline–Some a little, some a lot.

    • Logstash can only ship data as fast as the slowest output.

    • No, really. Not kidding.

    View Slide

  19. Consider the following...
    output {
    plugin1 {...}
    plugin2 {...}
    plugin3 {...}
    }

    View Slide

  20. Improving performance
    • Use brokers

    • Parallel pipelines

    • Staged pipelines

    View Slide

  21. Parallel pipeline example
    input {...}
    filter {# NONE}
    output {
    redis {...}
    }
    redis
    input { redis {...} }
    filter { # all }
    output {
    plugin1 {...}
    }
    input { redis {...} }
    filter { # all }
    output {
    plugin1 {...}
    }
    input { redis {...} }
    filter { # all }
    output {
    plugin1 {...}
    }

    View Slide

  22. Staged pipeline example
    output {
    elasticsearch {...}
    redis {...}
    }
    ES
    redis
    input { redis {...} }
    output {
    slow_output {...}
    }

    View Slide

  23. Other potential bottlenecks
    • Persistent Queues

    • Conditionals

    • Especially if you're doing regular expressions in them

    View Slide

  24. Future methods
    • Multiple pipelines from 1 JVM

    • Definable in logstash.yml

    • Each with auto-reload

    • Pipeline viewer (may be only in X-Pack at release)

    • See throughput not just as a sum of input/output, but at each plugin
    and conditional.

    View Slide

  25. Conclusion
    • If you can't measure it, you can't improve it, so monitor it. A lot.

    • Use grok and regular expressions...

    • ...as sparingly as possible

    • Don't put all of your pipeline eggs in one basket...

    • ...unless you've measured it and it meets your expectations

    • Parallelize and stage your pipeline with brokers FTW

    View Slide

  26. Resources
    • https://www.elastic.co/guide/en/logstash/current/performance-
    troubleshooting.html

    • https://www.elastic.co/guide/en/logstash/current/tuning-logstash.html

    View Slide