Logstash filter "metrics" is not working!

Ritesh_Sharma · November 18, 2016, 6:32am

Hey Guys ,

I am trying to get response per second for some of my APIs from NGINX Access logs and after some googling i came across "metrics" filter of logstash which claims to provide per duration (/sec , /minute etc ) occurrence information for any term present in log event hence i followed the specified conf on elastic and other web sources but it doesn't seem working either .

mentioning some details below ,

NGINX Log Event :

Some_Private_IP - - [18/Nov/2016:11:34:47 +0530] "GET /Some/API/URI/ HTTP/1.1" 499 0 rt=2.686 "-" "tsung" "-"

logstash conf :

filter {

if [type] == "nginx79_transit_logdata"
{
grok {
pattern => [ "%{SYSLOGTIMESTAMP:filebeat_timestamp}%{SPACE}%{SYSLOGHOST:client_hostname}%{SPACE}%{NOTSPACE:server_file_name}%{SPACE}%{IP:remote_addr}%{SPACE}-%{SPACE}-%{SPACE}[%{HTTPDATE:rqst_time}]%{SPACE}"%{WORD:rqst_type}%{SPACE}%{NOTSPACE:api_called}%{SPACE}%{NOTSPACE:httpversion}%{SPACE}%{NUMBER:status_code:int}%{SPACE}%{NUMBER:page_size:double}%{SPACE}rt=%{NUMBER:resp_time:float}%{SPACE}%{GREEDYDATA:left_msg}" ]

            add_tag => "got_syslog_timestamp"
            add_field => [ "received_at", "%{@timestamp}" ]
        }


    metrics{
            meter => "status_code"         # token getting from above pattern matching and tokenization ; 
            add_tag => "metric"
            }

    date {
            match => [ "timestamp", "dd/MMM/yyyy:HH:mm:ss Z" ]
         }

}
}

output {

if [type] == "nginx79_transit_logdata" {

                    stdout {codec => rubydebug}

}
}

In output json document i can clearly see "got_syslog_timestamp" in tags[] which is added in grok filter but unable to see tag "metric" which is added in metrics filter .

Kindly , suggest whether my way of configuring is correct or not or is there any other way of achieving my goal .

magnusbaeck · November 18, 2016, 6:49am

The metrics will be emitted as new events, but the only kind of event you're doing anything about are nginx79_transit_logdata ones. Comment out that conditional in your output block and you'll see what happens.

Ritesh_Sharma · November 18, 2016, 8:13am

Hey Magnus ,

Yes , you are correct now its throwing some metrics details as json but i am not getting what sort of metrics these are could you kindly explain , i am expecting some per sec occurrence value for each type of Status code (HTTP) present in inp log file.

Kindly help .

magnusbaeck · November 18, 2016, 8:20am

Unless you show what you're getting I can't explain what you're getting.

Ritesh_Sharma · November 18, 2016, 10:02am

Sorry , here it is .

{
"@timestamp" => "2016-11-18T08:00:10.802Z",
"beat" => {
"hostname" => "ip-10-0-0-9",
"name" => "ip-10-0-0-9",
"version" => "5.0.0"
},
"input_type" => "log",
"message" => "Nov 18 13:30:09 ip-10-0-0-23 nginxTrial-571 Some_Private_IP - - [18/Nov/2016:13:30:01 +0530] "POST /coupons/v1/coupons/10/user-action HTTP/1.1" 200 27 rt=0.010 "-" "tsung" "-"",
"offset" => 14220285,
"source" => "/rescue_109/dataLogging/Some_Private_IP/nginxTrial-571/2016-11-18.log",
"type" => "nginx79_transit_logdata",
"@version" => "1",
"filebeat_timestamp" => "Nov 18 13:30:09",
"client_hostname" => "ip-10-0-0-23",
"server_file_name" => "nginxTrial-571",
"remote_addr" => "Some_Private_IP",
"rqst_time" => "18/Nov/2016:13:30:01 +0530",
"rqst_type" => "POST",
"api_called" => "/coupons/v1/coupons/10/user-action",
"httpversion" => "HTTP/1.1"",
"status_code" => 200,
"page_size" => "27",
"resp_time" => 0.01,
"left_msg" => ""-" "tsung" "-"",
"received_at" => "2016-11-18T08:00:10.802Z",
"tags" => [
[0] "got_syslog_timestamp"
]
}

{
"@version" => "1",
"@timestamp" => "2016-11-18T08:01:54.500Z",
"message" => "ip-10-0-0-6",
"status_code" => {
"count" => 8000,
"rate_1m" => 171.96722134759196,
"rate_5m" => 513.7988399847355,
"rate_15m" => 617.8121727163245
},
"tags" => [
[0] "metric"
]
}

magnusbaeck · November 18, 2016, 10:21am

Yes , you are correct now its throwing some metrics details as json but i am not getting what sort of metrics these are could you kindly explain , i am expecting some per sec occurrence value for each type of Status code (HTTP) present in inp log file.

Then you need to configure the metrics filter accordingly. With your current configuration,

metrics{
  meter => "status_code"
  add_tag => "metric"
}

you're sending all events into the same bucket. To shard them per status code follow the example in the documentation, e.g. by doing this:

metrics{
  meter => "status_code_%{status_code}"
  add_tag => "metric"
}

system · December 16, 2016, 10:22am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.