I would like to add COLD data node (NOT data node) to my elasticsearch cluster using helm:
My values.yaml:
...
roles:
master: "false"
ingest: "false"
data: "false"
remote_cluster_client: "false"
ml: "false"
data_cold: "true"
...
but when deploy it, i got this error:
java.lang.IllegalArgumentException: unknown setting [node.data_cold] please check that any required plugins are installed, or check the breaking changes documentation for removed settings
Any idea please ?
Thank you in advance!
Assuming you're using the Elastic helm charts, I accomplished this by setting the following in my values.yml:
extraEnvs:
- name: 'node.attr.data'
value: '{{ ilm_phase }}'
and setting the following in my vars.yml for each individual data tier:
ilm_phase: 'cold' # ...or hot, or whatever...
And then finally, using a custom node attribute in my ILM policy.
It's not ideal, but it works well, even if it's not as nuanced as using node.roles. If someone else has a better method, I'm open to it.
Edit
I forgot that I also added the following template, which applies to all new indices created. This forces all new indices to be created on the hot data nodes.
PUT _template/ilm-set-index-ilm-hot
{
"order": 127,
"index_patterns": [ "*" ],
"settings": {
"index": {
"routing": {
"allocation": {
"require": {
"data": "hot"
}
}
}
}
},
"mappings": {},
"aliases": {}
}
Related
Is it possible to create conditional indexing by using ingest node pipelines? I feel this could be done by the script processor but can someone tell if this is possible?
I am in a scenario where I should decide which is a better way to do custom indexing. I can mention conditions in the metricbeat.yml /filebeat.yml files to get this done. But is this the best way to do custom indexing? There is no logstash in my elastic stack
output.elasticsearch:
indices:
- index: "metricbeat-dev-%{[agent.version]}-%{+yyyy.MM.dd}"
when.equals:
kubernetes.namespace: "dev"
This is how I have implemented custom indexing in metric/filebeat right now. I have like 20+ namespaces in my Kubernetes cluster. Please help in suggesting if this could be done by ingest node pipeline or not
Yes, You can achived this by ingest pipeline Set Processor. Ingest Pipeline support accessing of metadata fields and you can access / update index name using _index field name.
Below is sample Ingest Pipeline which will update index name when namespace is dev:
[
{
"set": {
"field": "_index",
"value": "metricbeat-dev",
"if": "ctx.kubernetes?.namespace== 'dev'"
}
}
]
Upadte 1: append agent version to index name. I ahve consider agent version feild name as agent.version
[
{
"set": {
"field": "_index",
"value": "metricbeat-dev-{{agent.version}}",
"if": "ctx.kubernetes?.namespace== 'dev'"
}
}
]
This is my AWS module setting in K8S
filebeat.modules:
- module: aws
cloudtrail:
enabled: true
var.queue_url:
input:
fields:
cloud.service.name: cloudtrail
cloud.service.type: cloudtrail
fields_under_root: true
But since I view the log in the Kibana
{
"_index": ".log-aws-1",
"fields": {
"fields.cloud.service.name": [
"cloudtrail"
],
...
}
}
This is issues
not work adding 'cloud.service.type' field.
I changed 'input' to 'inputs', but not work.
not work 'fields_under_root', it seems 'fields.fields.cloud.service.name'
What should I do to apply two cases?
I am stuck using elasticsearch/kibana 5.6.3. I need to enable cross cluster searching. I was able to get it working in 6.8.6 version but then found out I am stuck for now with older one (since we would have to upgrade dozens of servers sending data with an old version of fluentd). The documentation says to enable cluster settings from the console:
PUT _cluster/settings
{
"persistent": {
"cluster": {
"remote": {
"cluster-two": {
"seeds": ["localhost:9301"]
}
}
}
}
}
Which generates this error message:
{
"error": {
"root_cause": [
{
"type": "illegal_argument_exception",
"reason": "persistent setting [cluster.remote.cluster-two.seeds.0], not dynamically updateable"
}
],
"type": "illegal_argument_exception",
"reason": "persistent setting [cluster.remote.cluster-two.seeds.0], not dynamically updateable"
},
"status": 400
}
My elastic search config file:
cluster.name: cluster
node.name: node-1
http.port: 9200
transport.tcp.port: 9300
remote cluster:
cluster.name: remote-cluster
node.name: node-1
http.port: 9201
transport.tcp.port: 9301
I assume my error means I need to directly update this property in the config file. I tried a few options in elasticsearch.yml but no luck. Any idea what update I need to make to get cross cluster searching working?
Not working:
cluster.remote.cluster_two.seeds: ["127.0.0.1:9301"]
cluster.remote.cluster_two.seeds: 127.0.0.1:9301
cluster:
remote:
cluster_two:
seeds: 127.0.0.1:9301
bleh ... I think I found it here but need to test it is working. They had different name for the yaml config:
5.6: search.remote.cluster_two.seeds
6.8: cluster.remote.cluster_two.seeds
At least the server starts up now. Also I can set that in the console without error:
PUT _cluster/settings
{
"persistent": {
"search": {
"remote": {
"cluster_two": {
"seeds": ["localhost:9301"]
}
}
}
}
}
I have run into a brick wall considering searching in my logged events. I am using an elasticsearch solution, filebeat to load messages from logs to elasticsearch, and Kibana front end.
I currently log the messages into a field message and exception stacktrace (if present) into error.message. So the logged event's snippet may look like:
{
"message": "Thrown exception: CustomException (Exception for testing purposes)"
"error" : {
"message" : "com.press.controller.CustomException: Exception for testing purposes\n at
com.press.controller....<you get the idea at this point>"
}
}
Of course there are other fields like timestamp, but those are not important. What is important is this:
When I search message : customException, I can find the events I logged. When I search error.message : customException, I do not get the events. I need to be able to fulltext search all fields.
Is there a way how to tell elasticsearch to enable the fulltext search in the fields?
And why has the "message" field enabled it by default? None of my colleagues are aware that any indexing command was run on the field in the console after deployment and our privileges do not allow me or other team members to run indexing or analysis commands on any field. So it has to be in the config somewhere.
So far I was unable to find the solution. Please push me in the right direction.
Edit:
The config of fields is as follows:
We use a modified ECS, and both messages are declared as
level: core
type: text
in file fields.yml.
in filebeat, the config snippet is as such:
filebeat.inputs:
- type: log
enabled: true
paths: .....
...
...
processors:
- rename:
fields:
- from: "msg"
to: "message"
- from: "filepath"
to: "log.file.name"
- from: "ex"
to: "error.message"
ignore_missing: true
fail_on_error: true
logging.level: debug
logging.to_files: true
For security requirements, I cannot disclose full files. Also, I need to write all the snippets by hand, so misspells are probably my fault.
Thanks
Problem is with the analyzer associated with your field, by default for text fields in ES, standard analyzer is used which doesn't create separate tokens if text contains . for ex: foo.bar would result in just 1 token as foo.bar while if you want both foo and bar should match in foo.bar then you need to genrate 2 tokens as foo and bar.
What you need is a custom analyzer which creates token as above as your error.message text contains . which I explained in my example:
PUT /my_index
{
"settings": {
"analysis": {
"analyzer": {
"my_analyzer": {
"tokenizer": "standard",
"char_filter": ["replace_dots"]
}
},
"char_filter": {
"replace_dots": {
"type": "mapping",
"mappings": [
". => \\u0020"
]
}
}
}
}
}
POST /my_index/_analyze
{
"analyzer": "my_analyzer",
"text": "foo.bar"
}
The above example creates 2 tokens as foo and bar and same should happen with you when you create and test it with these API.
Let me know if you face any issue with it.
Elastic Search indexes all fields by default, here you did not define the mapping hence all fields should be indexed by default.
Also for your case I doubt if the data is properly going in elastic search as the log doesn't seem to be proper json.
Do you see proper logs in Kibana if yes please send a sample log/screenshot
I am using ELK with kibana.
I am also using filebeat for sending data to Logstash.
The i have created look like this
{
"mappings": {
"_default_": {
"properties": {
"msg":{"type":"string", "index":"not_analyzed"}
}
},
"log": {
"properties": {
"#timestamp":{"type":"date","format":"strict_date_optional_time||epoch_millis"},
"#version":{"type":"string"},
"beat": {
"properties": {
"hostname":{"type":"string"},
"name":{"type":"string"},
}
},
"count":{"type":"long"},
"host":{"type":"string"},
"input_type":{"type":"string"},
"message":{"type":"string"},
"msg":{"type":"string","index":"not_analyzed"},
"offset":{"type":"long"},
"source":{"type":"string"},
"type":{"type":"string"}
}
}
}
}';
I want to know that just like beat has 2 fields like hostname and name. Is it possible to have add more fields like environment: dev which i can see in kibana so that i can filter messages based on that
Yes, you can specify additional fields in your filebeat.yml configuration. Those new fields will be created. You have two options, you can either specify fields and/or fields_under_root.
If you use the former (see below), a new fields subgroup with your custom fields will appear in your document and you will be able to filter messages with fields.environment: dev in Kibana.
fields:
environment: dev
If you use the latter (see below), your custom fields will appear at the top-level in your document and you will be able to filter messages with environment: dev in Kibana.
fields_under_root: true