Simple log processing without Logstash

John16 · January 30, 2017, 5:10pm

Hello,

I want to use filebeat to send logs to elasticsearch with simple structure (date in custom format, http code, processing time in ms, query text).
So log line should be parsed and these data should go to different fields in Index.

Also I want to add another field (length of query text in symbols, provided it is in UTF-8 encoding), and I want to truncate the actual text so it fits to 32Kb (because of ES limitation).

As far as I understand I can do all these things in Logstash (even add custom handler written in Ruby).

The question is: is it possible to avoid using logstash at all and achieve these transformations using filebeat only (and possibly in ES using ingest API, pipelining. etc).

Thanks!

warkolm · January 30, 2017, 9:46pm

Why not Logstash?

Filebeat can't do this. Ingest can't either.

John16 · January 31, 2017, 9:42am

I feel that Logstash eats too much CPU for simple task (receive data via network, parse line against regexp, post parsed json to ES).

It eats almost the same CPU as ES instance on the same machine. But ES performs complex task (index logs) compared with dumb logstash.

ruflin · February 1, 2017, 8:58am

If LS is not an option, you should check the Ingest Processors if you can do it their: https://www.elastic.co/guide/en/elasticsearch/reference/master/ingest-processors.html But Logstash is the one with the full power for such transformation.

John16 · February 1, 2017, 9:47am

I tried to load sample log file into ES vis LS. LS process consumed 2 times more CPU that ES. Is it normal? ES does complex job indexing data. And LS only parses lines against regexp. It feels that LS should be rather light process, but it is not case

tudor · February 1, 2017, 10:44am

Regexp tend to be CPU expensive. I recommend trying the Logstash dissect filter: https://www.elastic.co/blog/logstash-dude-wheres-my-chainsaw-i-need-to-dissect-my-logs

John16 · February 4, 2017, 1:35pm

Thanks, I will looks at dissect module.

Though the same logic for parsing log lines against regexps written in Python consumes like an order of magnitude less CPU that logstash does. So something looks broken here...

system · March 4, 2017, 1:35pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.