Datafeed not happening in ml job

Elastic Stack Kibana
1

Hi all,

I'm new to ml job.

I've created the ml job in kibana. I got an error

image
image.png1244×318 19.5 KB

1. My data with timestamp (It's a sample data of one log file ) all data are feed at one shot.

image
image.png1022×216 10.2 KB

2. While validating my job i got the below warnings.

image
image.png776×553 28.2 KB

3. In job management tab i got only one proceed data for my job.

image
image.png1242×189 11.8 KB

4. My job config

image
image.png1217×470 29.9 KB

5. JSON file

image
image.png1184×604 28.6 KB

image
image.png1200×590 32.8 KB

image
image.png1195×606 25.6 KB

image
image.png1201×339 11.5 KB

Can anybody help me.

Appreciate your responses

2

I have 100 thousand documents in elastic search but it is processed only 1.

please let me know my mistake.

My expectation in ml job is:

  1. filed "response" is the response time of the HTTP request.
    I want to find the mean of "response" and to predict the mean value in future.

  2. I tried SUM also but, i got same response.

Anyone guide me how to do ml job.

3

It looks like the main crux of your problem is that although you have 100k+ documents in Elasticsearch, they all have the same timestamp. In logstash, you must have not properly extracted the timestamp from the logs and used that to write the @timestamp field (??) See the "Date filter" section of: https://www.elastic.co/blog/a-practical-introduction-to-logstash

The ML job needs to see documents over long-ish periods of time (hours, days, weeks, etc.). Until you fix the timestamps, your ML jobs will never work.

1 Like
4

Hi @richcollier , Thank you for the response. Please review the below screenshot of my log line

image
image.png1003×746 36.2 KB

Here ;;

  1. I tried to read the sample log file.
  2. @timestamp is taken as when the log lines are read and sent to elastic search( Dec 19 2018 xxxx). but the actual log time of log in the file is (Dec 4 2018 xxx)
  3. currently the field timestamp (which i defined) in text type. I can mutate it to date.
  4. How to i get the actual log time (Dec 4 2018 xxx) in elasticsearch???

could you please guide me how to achieve this.

5

@richcollier , I'll try this suggestion and let you know the results.

6

@richcollier Thanks much.

Issue is resolved.

I mapped my logtime to the timestamp.

filter {
grok {
match => {
"message" => '%{NOTSPACE:clientip}:- %{NOTSPACE:user} %{NOTSPACE:pass} %{NOTSPACE:role} [%{HTTPDATE:logtime}] "%{WORD:method} %{DATA:request} HTTP/%{NUMBER:httpversion}" %{NUMBER:responsecode} %{NUMBER:response} %{NOTSPACE:id1} %{NOTSPACE:id2} %{NOTSPACE:id3} %{NOTSPACE:id4} %{NOTSPACE:id5}'
}
}

date {
match => [ "logtime", "dd'/'MMM'/'yyyy:HH:mm:ss Z" ]

	}

mutate {
convert => {
"responsecode" => "integer"
"response" => "integer"
}
}
}

Now its working perfectly

image
image.png1220×270 12.1 KB

1 Like
7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.