Elasticsearch.slowlog.id is null when sending X-Opaque-Id header

margaretp · October 30, 2024, 2:35pm

Hello,

I have been using slowlogs for awhile, and now I'm trying to get X-Opaque-Id to show up in slowlogs so I can trace slow queries to their source. I believe that if it is set, the header should appear in the output field elasticsearch.slowlog.id, but I'm only seeing this set to null.

First, I followed the instructions here to set index.search.slowlog.include.user to true for an index: Slow Log | Elasticsearch Guide [8.15] | Elastic

I confirmed the new setting was applied by getting the index settings back:

"search": {
    "slowlog": {
        "include": {
            "user": "true"
        },
    "threshold": {
        "fetch": {
            "warn": "1s",
            "trace": "-1",
            "debug": "-1",
            "info": "800ms"
        },
    "query": {
            "warn": "5s",
            "trace": "-1",
            "debug": "-1",
            "info": "2s"
        }
    }
}

Next, I ran a query that exceeds the thresholds I have set and included the header X-Opaque-Id set to headertest. I can see the value getting returned in the query response headers under x-opaque-id, but slowlogs still show elasticsearch.slowlog.id as null.

Are there any other steps I missed to get the header to show up in slowlogs? I tried this on a cluster running 8.15.3 (using ECK 2.13.0).

I also tried this on another cluster running 8.12.0. In that case, I didn't change the slowlog settings since the 8.12 documentation doesn't make note of the new index.search.slowlog.include.user setting (Slow Log | Elasticsearch Guide [8.12] | Elastic), but I still don't see the header being set on the slowlog output.

Thank you!

angelo · November 4, 2024, 9:43pm

Adding index.search.slowlog.include.user will add user.name to the slowlog and should have not bearing the 'id' value, for example the 'elastic' user or 'elastic/kibana' if you are using Kibana Console/DevTools.

In my case, when I did provide the X-Opaque-Id header via curl, I did see it logged correctly in elasticsearch.slowlog.id in the logs. However, there were also a lot of 'null' values that appeared to be generated by Kibana. Maybe that could be what you are experiencing?

margaretp · November 4, 2024, 10:12pm

Thank you for the reply. Good to know about index.search.slowlog.include.user .

Unfortunately I only see elasticsearch.slowlog.id set to null in the (JSON) log output:

"@timestamp":"2024-11-04T22:06:56.274Z", "log.level": "INFO",  "elasticsearch.slowlog.id":null,"elasticsearch.slowlog.message": ...

I do see the value returned as x-opaque-id in the response header when I run a query from curl or Insomnia, but it's always null in the logs. I am not using Kibana.

Topic		Replies	Views
X-opaque-id not displayed in search slow log Elasticsearch	7	843	September 21, 2021
Cannot see user "id" in slowlogs (X-Opaque-ID) Elasticsearch elastic-stack-monitoring	1	576	July 30, 2020
How to identify specific users who are submitting slowlog queries? Elasticsearch elastic-stack-monitoring	11	483	September 23, 2022
How to change elasticsearch.slowlog.id? Elasticsearch	4	229	July 6, 2023
Kibana and ElasticSearch X-Opaque-ID header Kibana	3	1577	April 2, 2020

Elasticsearch.slowlog.id is null when sending X-Opaque-Id header

Related topics