PacketBeat (Elasticsearch) mostly shows zero as response time for queries

Elastic Stack Beats
1

I've installed PacketBeat & ElasticSearch on 1 WildFly server running some simple servlets. The problem that I have is that I see a lot of queries/http requests having "0" as responsetime. Not always, but very often.

Why is this? I've tried to change the field to duration, milliseconds etc etc but no difference. It's set to zero. I can't seem to figure out why.

Thanks in advance.

Screenshot:

2

It's measured in milliseconds. Is it possible that your response times are less than a millisecond?

3

Hi,
Thanks for your reply.

The response times are not less than milliseconds. They range from 200ms to 2000 ms, give or take. I think I have misconfigured something or that this is a bug. There is already another thread from another user:

https://discuss.elastic.co/t/http-responsetime-unrealistic-results?source_topic_id=70483

Example field where the response time is set to zero:
{
"_index": "packetbeat-2017.01.04",
"_type": "http",
"_id": "AVlpluaaE1adqnAMeWq4",
"_score": 1,
"_source": {
"@timestamp": "2017-01-04T13:06:53.673Z",
"beat": {
"hostname": "ip-433-30-0-xxx",
"name": "ip-433-30-0-xxx",
"version": "5.1.1"
},
"bytes_in": 443,
"bytes_out": 641,
"client_ip": "433.30.0.xxx",
"client_port": 56106,
"client_proc": "",
"client_server": "",
"direction": "out",
"http": {
"request": {
"headers": {
"content-length": 0
},
"params": ""
},
"response": {
"code": 200,
"headers": {
"content-length": 423,
"content-type": "image/png"
},
"phrase": "OK"
}
},
"ip": "52.212.222.5",
"method": "GET",
"path": "/test-test/resources/img/glyphicons_351_book_open.png",
"port": 8080,
"proc": "",
"query": "GET /test-test/resources/img/glyphicons_351_book_open.png",
"request": "GET /test-test/resources/img/glyphicons_351_book_open.png HTTP/1.1\r\nHost: 52.51.246.160\r\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36\r\nAccept: image/webp,image/,/*;q=0.8\r\nReferer: http://52.51.246.160/test-test/\r\nAccept-Language: sv-SE,sv;q=0.8,en-US;q=0.6,en;q=0.4\r\nX-Forwarded-For: 85.228.149.74\r\nAccept-Encoding: gzip\r\nX-Varnish: 624842\r\n\r\n",
"response": "HTTP/1.1 200 OK\r\nConnection: keep-alive\r\nLast-Modified: Fri, 22 Aug 2014 19:57:30 GMT\r\nX-Powered-By: Undertow/1\r\nServer: WildFly/10\r\nContent-Type: image/png\r\nContent-Length: 423\r\nDate: Wed, 04 Jan 2017 13:06:53 GMT\r\n\r\n",
"responsetime": 0,
"server": "",
"status": "OK",
"type": "http"
},
"fields": {
"@timestamp": [
1483535213673
]
}
}

My packetbeat.yml:
#################### Packetbeat Configuration Example #########################

# This file is an example configuration file highlighting only the most common
# options. The packetbeat.full.yml file from the same directory contains all the
# supported options with more comments. You can use it as a reference.
#
# You can find the full configuration reference here:
# https://www.elastic.co/guide/en/beats/packetbeat/index.html

#============================== Network device ================================

# Select the network interface to sniff the data. On Linux, you can use the
# "any" keyword to sniff on all connected interfaces.
packetbeat.interfaces.device: any

#================================== Flows =====================================

# Set `enabled: false` or comment out all options to disable flows reporting.
#packetbeat.flows:
  # Set network flow timeout. Flow is killed if no packet is received before being
  # timed out.
  #timeout: 30s

  # Configure reporting period. If set to -1, only killed flows will be reported
  #period: 10s

#========================== Transaction protocols =============================

packetbeat.protocols.http:
  # Configure the ports where to listen for HTTP traffic. You can disable
  # the HTTP protocol by commenting out the list of ports.
  ports: [80, 8080]
  send_response: true
  send_request: true
#================================ General =====================================

# The name of the shipper that publishes the network data. It can be used to group
# all the transactions sent by a single shipper in the web interface.
#name:

# The tags of the shipper are included in their own field with each
# transaction published.
#tags: ["service-X", "web-tier"]

# Optional fields that you can specify to add additional information to the
# output.
#fields:
#  env: staging

#================================ Outputs =====================================

# Configure what outputs to use when sending the data collected by the beat.
# Multiple outputs may be used.

#-------------------------- Elasticsearch output ------------------------------
output.elasticsearch:
  # Array of hosts to connect to.
  hosts: ["xxxxx:9200"]

  # Optional protocol and basic auth credentials.
  #protocol: "https"
  #username: "elastic"
  #password: "changeme"

#----------------------------- Logstash output --------------------------------
#output.logstash:
  # The Logstash hosts
  #hosts: ["xxxxx:5044"]

  # Optional SSL. By default is off.
  # List of root certificates for HTTPS server verifications
  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]

  # Certificate for SSL client authentication
  #ssl.certificate: "/etc/pki/client/cert.pem"

  # Client Certificate Key
  #ssl.key: "/etc/pki/client/cert.key"

#================================ Logging =====================================

# Sets log level. The default log level is info.
# Available log levels are: critical, error, warning, info, debug
#logging.level: debug

# At debug level, you can selectively enable logging only for some components.
# To enable all selectors use ["*"]. Examples of other selectors are "beat",
# "publish", "service".
#logging.selectors: ["*"]
4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.