I am trying to configure an ELK stack and have timeouts when performing queries from kibana.
After researching for a while I couldn't find a good answer to my question, how many shards should I use...
We use ELK to collect production logs.
The description of the stack:
All the ELK stack runs using docker on a single server.
ElasticSearch has only 1 node with 8GB out of 16 GB RAM given to the JVM (-Xmx8g -Xms8g)
Logstash creates a daily index
For now we don't really care to lose the logs so we don't have any replicas
We use the default value of shards per index (5)
For now we only keep 3 days of logs. (3 indexes) which give us ~50 million entries per index and around 150GB of total data size.
We average around 2.2 million entries hourly
When we query in Kibana for the last 15 minutes or 1hr it returns the result after around 10 seconds but when querying for 4hrs it gets a timeout after 30seconds.
We've also noticed that the CPU of the machine is very high almost always and the RAM is very high as well.
From what I've read people say that the shard size should be less than 30GB from one hand and to use as little shards per node as possible.
Given the constrain of a single node it seems like the number of shards should be 2 per index to supply the 30GB rule but if we do that we will have 2 shards per index, with 3 saved indexes (for 3 days) which will give us 6 shards for that node. Q1: Will it work ok or should we reduce it to 1 shard per index?
Another thing to notice: our indices are named `logstash-year.month.day' and in kibana we created an index pattern 'logstash-*'. Q2: Does it query all the indices even when we specify in kibana a date range? Should we also create a daily index pattern in kibana?
Q3: We are currently trying to avoid creating multiple nodes. Is there a way to do it with a single node or should we create more nodes? If more how many will work and with how many shards?
A single node should be fine for this. If it's not, then I'd be using X-Pack Monitoring to look at what is happening on the node when you have these load issues.
The minimum query latency will depend on the data, queries and shard size, so I would recommend running a benchmark to determine the most appropriate shard size for your use-case as described in this video.
Having large shards is important in order to not get too many shards when you have a long retention period. If you however want to keep your retention period at 3 days and e.g. have dashboards that refresh automatically at an interval (send the same queries but with a varying time frame), you might actually be better off using an hourly index with a single primary shard. The reason for this is that indices no longer receiving data would be able to cache more efficiently. Given your heap size the number of shards generated should be manageable.
But if we monitor 24 hours period, doesn't that mean that 24 shards will run the query on the same node?
As I understand from blog posts we want to reduce the number of shards on one node that participate in the query, or am I missing something?
That is correct. If you are running the same query over and over, e.g. by refreshing a displayed dashboard, most of these indices are not changing as no new data is arriving, which means that they will be able to cache more efficiently. If you however are exploring your data and constantly changing the queries and filters, this may indeed be worse than having a single larger index.
The optimal number and size of indices will depend on your query patterns, and it is quite possible that a solution somewhere in between might be optimal.
One thing I want to mention is the query I run is a query without any condition...When I start adding conditions the queries start returning much quicker even including all 3 days.
When viewing a dashboard with 10 visualizations it still behaves poorly:
12 hrs of dashboard, returning after ~10secs, iostat -mx 10:
One more thing, I have the Logstash, Elastichsearch and Kibana deployed on the same machine in docker containers. Could it be that the Logstash is the bad guy and consumes Elasticsearch resources?
We've upgraded to a machine with more RAM givin elastic 30GB of ram to play around with, it helped.
But the most significant issue I found was the way our visualizations were built.
We had many visualizations without queries, only using filters and some of the visualizations used filter of the form !(some condition) which led to matching almost all the data.
So 2 conclusions I found are:
Almays use queries in visualizations before aggregating them
Try avoiding filters of the form !(some condition) unless you added a query to significantly reduce the number of matching logs
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
