Rolling up Data Streams

seanziee · November 3, 2021, 1:04pm

Hi there,

I'm curious if making rollups from data streams is recommended/possible? It would be great after rolling over data from my data stream if I could also roll it up into bigger time chunks.

Thanks!

warkolm · November 4, 2021, 12:11am

It's certainly possible, recommending it or not will depend on what you are trying to achieve

seanziee · November 4, 2021, 9:33am

My goal is to use data streams for my metricbeat data and then after 7 days or so, have the 10s data roll up to 30 min data. I want to have my dashboards to query both the rolled up data as well as the current data.. so when looking at the past 2 weeks, data will show for the entire span and because the buckets will be larger, the 30 min data will still show up just like the more recent data.

From the documentation, it seems that you can only call one rollup at a time which concerns me because I will have data streams from metricbeat that create indices for each module (and I also have several different types of machine that ingest metricbeat that create separate indices). i.e.
metrics-system.cpu-prod-companyA, metrics-system.network-prod-companyA

metrics-system.cpu-prod-companyB, metrics-system.network-prod-companyB

So would I only be able to search either A or B when looking at rollups? Would I need to combine all the different company metrics in the same datastream i.e.

metrics-system.cpu-prod-companyAandcompanyB, system.network-prod-companyAandcompanyB

Also how are the multiple underlying .ds indices dealt with for rollups?

seanziee · November 11, 2021, 7:26am

Any thoughts @warkolm ?

seanziee · November 23, 2021, 6:57pm

bump

warkolm · November 24, 2021, 1:40am

Can you share one of the rollup jobs you have configured for this?

seanziee · December 11, 2021, 4:39am

PUT _rollup/job/test_rollupA
{
  "id": "test_rollupA",
  "index_pattern": "test-metricbeat-companyA*",
  "rollup_index": "test-metricbeat_companyA-rollup",
  "cron": "0 0 0 * * ?",
  "page_size": 1000,
  "groups": {
    "date_histogram": {
      "interval": "60m",
      "delay": "7d",
      "time_zone": "UTC",
      "field": "@timestamp"
    },
    "terms": {
      "fields": [
        "container.id.keyword",
        "container.image.name.keyword",
        "container.name.keyword",
        "container.runtime.keyword"
      ]
    }
  },
  "metrics": [
    {
      "field": "docker.cpu.system.ticks",
      "metrics": [
        "avg"
      ]
    },
    {
      "field": "docker.cpu.total.norm.pct",
      "metrics": [
        "avg",
        "max",
        "min",
        "sum",
        "value_count"
      ]
    }
  ]
}

PUT _rollup/job/test_rollupB
{
  "id": "test_rollupB",
 "index_pattern": "test-metricbeat-companyB*",
  "rollup_index": "test-metricbeat_companyB-rollup",
  "cron": "0 0 0 * * ?",
  "page_size": 1000,
  "groups": {
    "date_histogram": {
      "interval": "60m",
      "delay": "7d",
      "time_zone": "UTC",
      "field": "@timestamp"
    },
    "terms": {
      "fields": [
        "container.id.keyword",
        "container.image.name.keyword",
        "container.name.keyword",
        "container.runtime.keyword"
      ]
    }
  },
  "metrics": [
    {
      "field": "docker.cpu.system.ticks",
      "metrics": [
        "avg"
      ]
    },
    {
      "field": "docker.cpu.total.norm.pct",
      "metrics": [
        "avg",
        "max",
        "min",
        "sum",
        "value_count"
      ]
    }
  ]
}

seanziee · December 11, 2021, 6:21am

Sorry for the delay and thanks for getting back to me. I posted the above for you to see.

system · January 8, 2022, 6:22am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.