Logstash filter "metrics" is not working!


(Ritesh Sharma) #1

Hey Guys ,

I am trying to get response per second for some of my APIs from NGINX Access logs and after some googling i came across "metrics" filter of logstash which claims to provide per duration (/sec , /minute etc ) occurrence information for any term present in log event hence i followed the specified conf on elastic and other web sources but it doesn't seem working either .

mentioning some details below ,

NGINX Log Event :

Some_Private_IP - - [18/Nov/2016:11:34:47 +0530] "GET /Some/API/URI/ HTTP/1.1" 499 0 rt=2.686 "-" "tsung" "-"

logstash conf :

filter {

if [type] == "nginx79_transit_logdata"
{
grok {
pattern => [ "%{SYSLOGTIMESTAMP:filebeat_timestamp}%{SPACE}%{SYSLOGHOST:client_hostname}%{SPACE}%{NOTSPACE:server_file_name}%{SPACE}%{IP:remote_addr}%{SPACE}-%{SPACE}-%{SPACE}[%{HTTPDATE:rqst_time}]%{SPACE}"%{WORD:rqst_type}%{SPACE}%{NOTSPACE:api_called}%{SPACE}%{NOTSPACE:httpversion}%{SPACE}%{NUMBER:status_code:int}%{SPACE}%{NUMBER:page_size:double}%{SPACE}rt=%{NUMBER:resp_time:float}%{SPACE}%{GREEDYDATA:left_msg}" ]

            add_tag => "got_syslog_timestamp"
            add_field => [ "received_at", "%{@timestamp}" ]
        }


    metrics{
            meter => "status_code"         # token getting from above pattern matching and tokenization ; 
            add_tag => "metric"
            }

    date {
            match => [ "timestamp", "dd/MMM/yyyy:HH:mm:ss Z" ]
         }

}
}

output {

if [type] == "nginx79_transit_logdata" {

                    stdout {codec => rubydebug}

}
}

In output json document i can clearly see "got_syslog_timestamp" in tags[] which is added in grok filter but unable to see tag "metric" which is added in metrics filter .

Kindly , suggest whether my way of configuring is correct or not or is there any other way of achieving my goal .


(Magnus Bäck) #2

The metrics will be emitted as new events, but the only kind of event you're doing anything about are nginx79_transit_logdata ones. Comment out that conditional in your output block and you'll see what happens.


(Ritesh Sharma) #3

Hey Magnus ,

Yes , you are correct now its throwing some metrics details as json but i am not getting what sort of metrics these are could you kindly explain , i am expecting some per sec occurrence value for each type of Status code (HTTP) present in inp log file.

Kindly help .


(Magnus Bäck) #4

Unless you show what you're getting I can't explain what you're getting.


(Ritesh Sharma) #5

Sorry , here it is .

{
"@timestamp" => "2016-11-18T08:00:10.802Z",
"beat" => {
"hostname" => "ip-10-0-0-9",
"name" => "ip-10-0-0-9",
"version" => "5.0.0"
},
"input_type" => "log",
"message" => "Nov 18 13:30:09 ip-10-0-0-23 nginxTrial-571 Some_Private_IP - - [18/Nov/2016:13:30:01 +0530] "POST /coupons/v1/coupons/10/user-action HTTP/1.1" 200 27 rt=0.010 "-" "tsung" "-"",
"offset" => 14220285,
"source" => "/rescue_109/dataLogging/Some_Private_IP/nginxTrial-571/2016-11-18.log",
"type" => "nginx79_transit_logdata",
"@version" => "1",
"filebeat_timestamp" => "Nov 18 13:30:09",
"client_hostname" => "ip-10-0-0-23",
"server_file_name" => "nginxTrial-571",
"remote_addr" => "Some_Private_IP",
"rqst_time" => "18/Nov/2016:13:30:01 +0530",
"rqst_type" => "POST",
"api_called" => "/coupons/v1/coupons/10/user-action",
"httpversion" => "HTTP/1.1"",
"status_code" => 200,
"page_size" => "27",
"resp_time" => 0.01,
"left_msg" => ""-" "tsung" "-"",
"received_at" => "2016-11-18T08:00:10.802Z",
"tags" => [
[0] "got_syslog_timestamp"
]
}

{
"@version" => "1",
"@timestamp" => "2016-11-18T08:01:54.500Z",
"message" => "ip-10-0-0-6",
"status_code" => {
"count" => 8000,
"rate_1m" => 171.96722134759196,
"rate_5m" => 513.7988399847355,
"rate_15m" => 617.8121727163245
},
"tags" => [
[0] "metric"
]
}


(Magnus Bäck) #6

Yes , you are correct now its throwing some metrics details as json but i am not getting what sort of metrics these are could you kindly explain , i am expecting some per sec occurrence value for each type of Status code (HTTP) present in inp log file.

Then you need to configure the metrics filter accordingly. With your current configuration,

metrics{
  meter => "status_code"
  add_tag => "metric"
}

you're sending all events into the same bucket. To shard them per status code follow the example in the documentation, e.g. by doing this:

metrics{
  meter => "status_code_%{status_code}"
  add_tag => "metric"
}

(system) #7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.