-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[libbeat] Implement early event encoding for the Elasticsearch output #38572
Conversation
Pinging @elastic/elastic-agent (Team:Elastic-Agent) |
|
|
||
batch := outest.NewBatch(beat.Event{ | ||
batch := encodeBatch(client, outest.NewBatch(beat.Event{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This linter error (and the similar ones below) is mistaken, there is no typecheck error here.
What's worse, if I add a nolint
directive to skip it, it gives an error because the directive is "unused", so something is maybe wrong with the linter config...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you add some of the benchmark data? It would be very nice to have for historical purposes.
Since we can't toggle back and forth for this change, do you have any tests that show documents ingested with it are exactly the same as without?
I'm refreshing the benchmark data right now and I'll add it to the PR when done
Only inspection on manual tests... I will try something more systematic, though I'm not sure how much variation arises just from ingestion metadata etc. (Do you have any suggestions for how to test this? I know you did something similar with the shipper at one point.) |
https://github.com/leehinman/docdiff is what I did for shipper. I don't think we need a ton of testing here, the encoding function is the same between the two. I'm probably just being paranoid. |
@leehinman Ok I rigged up some generated data in python (depth-3 json objects with many random keys of varying datatypes), ingested with and without this PR and otherwise identical filebeat configs (except an identifying
Better a little paranoia than an escalation :-) |
I really like this |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Add early-encoding support to the queue and the Elasticsearch output.
Early event encoding lets outputs provide helpers that can perform output serialization on an event while it is still in the queue. This early encoding is done in the memory queue's producers, and in the disk queue's reader loop. Benchmarks while writing to Elasticsearch showed significant improvements (reported numbers were measured on Filebeat with a filestream input).
Memory reduction in each preset relative to past versions:
main
CPU reduction for each preset relative to
main
(earlier versions had negligible difference):Checklist
I have made corresponding changes to the documentationI have made corresponding change to the default configuration filesCHANGELOG.next.asciidoc
orCHANGELOG-developer.next.asciidoc
.How to test this PR locally
Any Beats or Agent configuration that uses the Elasticsearch output goes through the early encoding process and tests this PR (and other outputs still indirectly test the API changes). Some special cases to exercise are: