We are experiencing high CPU utilization when starting the elasticsearch & logstash services simultaneously.
The JAVA process is occupying more than 300% CPU.
The elasticsearch holds some multiple JAVA threads and makes the CPU reaches to max utilization.
Elasticsearch version (bin/elasticsearch --version): 2.3.4
JVM version (java -version): 1.8.0
OS version (uname -a if on a Unix-like system): RHEL 7.2
Team,
Can you help on this?
We are at critical state due to this CPU issue.
Do you have monitoring installed? How much indexing and querying is the node handling when the CPU usage goes up?
Hi,
We have nagios installed for monitoring the load . the load keeps on fluctuating and its has lot of threads running at the backend.
When I query the indices , I am getting the below o/p with lot of indices in open state.
Please assist, since I am very new to ELK
You seem to have a lot of small shards, so please read this blog post for some guidance on shards and sharding practices. When you look at monitoring and amount of data indexed, do you see any correlation between indexed volume and CPU usage?
Yes Christian. Initial days the CPU usage was very well under control.
Now, as the data indices are growing it starts affecting my CPU usage.
Also, I could suspect that my indices are creating duplicates as the older date indices are also growing on day to day basis as well.
Please advise on how to avoid duplicate indices from getting created .
Have a look at your ingest pipeline and make sure it is configured correctly so it does not resend old data.
Could you please be more specific on which configuration file to be checked?
I do not know anything about how you are ingesting data, so it is hard to be more specific. How are you ingesting data into Elasticsearch?
Using RabbitMQ as buffer
Configured Logstash to push logs to RabbitMQ
Pulling logs from RabbitMQ and indexing
Is any other information required?
@Christian_Dahlqvist Please find below the logstash.conf
input
{ rabbitmq {
host => "10.x.x.x"
port => 5670
ssl_certificate_password => 'xxxxx'
ssl_certificate_path => Vetc/logstash/ssl_cert/client/keycert.p12'
ssl_version => "TLSv1.2"
ssl => true
durable => false
exchange => "elasticsearch-exchange"
queue => "indexer-queue"
vhost => "es_vhost"
key => "logstash-routing_key"
user => "xxxx"
password => "xxxx"
heartbeat => "15"
automatic_recovery => false
connect_retry_interval => 1
exchange type => "direct"
}
}
output {
elasticsearch {
hosts => ["localhostm]
index => "immediate-%(+YYYY.MM.dd}"
}
}
input {
file {
path => "/var/log/messages"
start position => "end"
}
}
filter {
grok {
match => "message" => "%{SYSLOGTIMESTAMP:system_auth_timestamp} %{SYSLOGHOST:system_auth_hostname} %{GREEDYDATA:command_issued}: %{GREEDYDATA:message}" }
add tag => "syslog"
}
}
output {
rabbitmq {
exchange => "elasticsearch-exchange"
exchange_type => "direct"
key => "logstash-routing_key"
ssl => true
durable => false
ssl_certificate_password => 'xxxxx'
ssl_certificate_path => 'etc/logstash/ssl_cert/client/keycert.p12'
ssl_version => "TLSv1.2"
host => "10.x.x.x"
vhost => "es_vhost"
persistent => true
passive => true
port => "5671"
user => "xxxx"
password => "xxxx"
}
}I do unfortunately not have much experience with RabbitMQ, so may not be able to help much.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.