-
Notifications
You must be signed in to change notification settings - Fork 0
/
index.html
384 lines (377 loc) · 14.3 KB
/
index.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
<!doctype html>
<html>
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no">
<title>reveal.js</title>
<link rel="stylesheet" href="css/reset.css">
<link rel="stylesheet" href="css/reveal.css">
<link rel="stylesheet" href="css/theme/night.css">
<!-- Theme used for syntax highlighting of code -->
<link rel="stylesheet" href="lib/css/monokai.css">
<!-- Printing and PDF exports -->
<script>
var link = document.createElement( 'link' );
link.rel = 'stylesheet';
link.type = 'text/css';
link.href = window.location.search.match( /print-pdf/gi ) ? 'css/print/pdf.css' : 'css/print/paper.css';
document.getElementsByTagName( 'head' )[0].appendChild( link );
</script>
</head>
<body>
<div class="reveal">
<div class="slides">
<section id='Title'>
<h1>Elastic stack*</h1>
<p>by TL</p>
<p style="font-size:0.4em;text-align: right;">*Up to date for version 6</p>
</section>
<section id='Agenda'>
<section id='Agenda_0'>
<h2>Agenda</h2>
</section>
<section id='Agenda_1'>
<ol>
<li class="fragment fade-up" data-fragment-index="0">
<h4>Terminology</h4>
<p>What's what in Elastic stack</p>
</li>
<li class="fragment fade-up" data-fragment-index="1">
<h4>Architecture</h4>
<p>What is the basic workflow</p>
</li>
<li class="fragment fade-up" data-fragment-index="2">
<h4>Elasticsearch</h4>
<p>The engine of the stack</p>
</li>
</ol>
</section>
<section id='Agenda_2'>
<ol start=4>
<li class="fragment fade-up" data-fragment-index="0">
<h4>Logstash</h4>
<p>First method of ingest<p>
</li>
<li class="fragment fade-up" data-fragment-index="1">
<h4>Filebeat</h4>
<p>Lightweight method of ingest</p>
</li>
<li class="fragment fade-up" data-fragment-index="2">
<h4>Kibana</h4>
<p>Data visualizer</p>
</li>
<ol>
</section>
<section id='Agenda_3'>
<ol start=7>
<li class="fragment fade-up" data-fragment-index="0">
<h4>Data flow</h4>
<p>How data flows through Elastic<p>
</li>
<li class="fragment fade-up" data-fragment-index="1">
<h4>Why json</h4>
<p>Why json is the "best" way for Elastic</p>
</li>
<li class="fragment fade-up" data-fragment-index="2">
<h4>Indexing</h4>
<p>How indexing works</p>
</li>
<li class="fragment fade-up" data-fragment-index="3">
<h4>Query API</h4>
<p>How it's used</p>
</li>
<ol>
</section>
</section>
<section id="Terminology">
<section id='Terminology_0'>
<h4>Terminology</h4>
</section>
<section id='Terminology_1'>
<ul>
<li class="fragment fade-up" data-fragment-index="0">Document - single stored message</li>
<li class="fragment fade-up" data-fragment-index="1">Index - home for your documents</li>
<li class="fragment fade-up" data-fragment-index="2">Node - elasticsearch host</li>
<ul>
<li class="fragment fade-up" data-fragment-index="3">Master - specialized node to schedule indices</li>
<li class="fragment fade-up" data-fragment-index="4">Data - node to store data</li>
<li class="fragment fade-up" data-fragment-index="5">Client - proxy to the cluster</li>
<li class="fragment fade-up" data-fragment-index="6">Tribe - cluster federation</li>
<li class="fragment fade-up" data-fragment-index="7">Ingest - node for processing batch data</li>
</ul>
</ul>
<aside class="notes">
Client - proxies requests to cluster, doesn't do anything else.
Tribe - mainly to connect different clusters and make join queries across them.
</aside>
</section>
<section id='Terminology_2'>
<ul>
<li class="fragment fade-up" data-fragment-index="0">Ingest - process of recieving and parsing data</li>
<li class="fragment fade-up" data-fragment-index="1">Shard - a single Solr index</li>
<li class="fragment fade-up" data-fragment-index="2">Replica - a single copy of a shard</li>
<li class="fragment fade-up" data-fragment-index="3">Mapping - configuration of fields for an index</li>
<li class="fragment fade-up" data-fragment-index="4">Allocation - proces of deploying shard to node</li>
<li class="fragment fade-up" data-fragment-index="5">Pipeline - config of document processing in Logstash</li>
</ul>
<aside class="notes">
Total number of shards for an index is shard * replica setting.
Mapping is not really a config but more of a type definition for known fields used later by elastic and kibana.
</aside>
</section>
</section>
<section id='Architecture'>
<section id='Architecture_0'>
<h4>Architecture</h4>
</section>
<section id='Architecture_1'>
<p>Basic architecture</p>
<img src="assets/elk-arch.jpg" alt="Architecture" style="width: 75%; height: 75%;">
</section>
<section id='Architecture_2'>
<p>Ideal flow</p>
<img src="assets/082918_1504_ELKStackTut3.png" alt="Ideal flow">
<aside class="notes">
A bit overbuilt for basic purposes, but tends to be the easiest to scale.
</aside>
</section>
</section>
<section id='Elasticsearch'>
<section id='Elasticsearch_0'>
<h4>Elasticsearch</h4>
</section>
<section id='Elasticsearch_1'>
<p>Main component of Elastic Stack, takes care of storing documents in shards,
replication and multiple others</p>
<aside class="notes">
Written in java, scales really well, but mostly horizontally.
</aside>
</section>
<section id='Elasticsearch_2'>
<p class="fragment fade-up" data-fragment-index="0">Has multiple roles, all configurable</p>
<p class="fragment fade-up" data-fragment-index="1">RESTful</p>
<p class="fragment fade-up" data-fragment-index="2">Does weird analytics</p>
<p class="fragment fade-up" data-fragment-index="3">Resource hog</p>
<aside class="notes">
Mainly ram and disk/IO. Needs lots of care and knowledge.
</aside>
</section>
</section>
<section id='Logstash'>
<section id='Logstash_0'>
<h4>Logstash</h4>
</section>
<section id='Logstash_1'>
<p class="fragment fade-up" data-fragment-index="0">Main robust data processor</p>
<p class="fragment fade-up" data-fragment-index="1">Done before arriving at elasticsearch.</p>
<p class="fragment fade-up" data-fragment-index="2">Written in Java.</p>
<p class="fragment fade-up" data-fragment-index="3">Kinda slow.</p>
<p class="fragment fade-up" data-fragment-index="4">Resource hog.</p>
</section>
<section id='Logstash_2'>
<p>Configured in two parts:</p>
<ul>
<li>Logstash config</li>
<li>Pipeline config</li>
</ul>
</section>
<section id='Logstash_3'>
<p>Example pipeline</p>
</section>
<section id='Logstash_4'>
<pre><code class="hljs">input {
rabbitmq {
user => "rabbitmq"
host => "rabbitmq"
queue => "log"
exchange => "log"
durable => true
}
}
output {
elasticsearch {
hosts => ["elasticsearch"]
}
}</code></pre>
<aside class="notes">
Example pipeline from cms-pzpn, couple fields cut for security reasons. No mutations, conversions.
</aside>
</section>
<section id='Logstash_5'>
<p>Advanced pipeline</p>
</section>
<section id='Logstash_6'>
<pre><code class='hljs' data-trim data-noescape data-line-numbers>input {
stdin {}
}
filter {
json {
source => "message"
}
mutate {
replace => { "[test][a]" => "%{s}"}
add_field => {"[test][myNewField]" => "%{s}"}
add_field => {"some" => "%{[test][a]}"}
}
}
output {
stdout { codec => rubydebug }
}</code></pre>
<aside class="notes">
Data taken from input, value of field message converted to json object. Converted to string. some replaced with new string.
</aside>
</section>
</section>
<section id='Fielbeat'>
<section id='Filebeat_0'>
<h4>Filebeat</h4>
</section>
<section id='Filebeat_1'>
<p class="fragment fade-up" data-fragment-index="0">Lightweight daemon</p>
<p class="fragment fade-up" data-fragment-index="1">Written in go</p>
<p class="fragment fade-up" data-fragment-index="2">Reads local files and output parsed content</p>
</section>
<section id='Filebeat_2'>
<pre>
<code class='hljs'>#yaml
filebeat.prospectors:
- type: log
paths:
- "/var/log/apache2/*"
fields:
apache: true
output.elasticsearch:
hosts: ["localhost:9200"]
</code>
</pre>
<aside class='notes'>
Parses apache logs and ships them to local elasticsearch
</aside>
</section>
</section>
<section id='Kibana'>
<section id='Kibana_0'>
<h4>Kibana</h4>
</section>
<section id='Kibana_1'>
<p class="fragment fade-up" data-fragment-index="0">Full blown data discovery and visualization toolbox</p>
<p class="fragment fade-up" data-fragment-index="1">Pretty interface</p>
<p class="fragment fade-up" data-fragment-index="2">Pretty slow</p>
<p class="fragment fade-up" data-fragment-index="3">More advanced functions need to be scripted in <b>Painless</b></p>
</section>
</section>
<section id='DataFlow'>
<section id='DataFlow_0'>
<h4>Data flow</h4>
</section>
<section id='DataFlow_1'>
<img src="assets/deploy4.png" alt="Example complex data flow">
</section>
</section>
<section id='JSON'>
<section id='JSON_0'>
<h4>Why json?</h4>
</section>
<section id='JSON_1'>
<p class="fragment fade-up" data-fragment-index="0"> JSON is the native storage data format for elasticsearch</p>
<p class="fragment fade-up" data-fragment-index="1">It's easy to query via kibana</p>
<p class="fragment fade-up" data-fragment-index="2">It's easy to store, compresses well</p>
<p class="fragment fade-up" data-fragment-index="3">All of the above only applies to relatively flat json structures</p>
</section>
</section>
<section id='Indexing'>
<section id='Indexing_0'>
<h4>Indexing</h4>
</section>
<section id='Indexing_1'>
<p class="fragment fade-up" data-fragment-index="0">Is done on a single node</p>
<p class="fragment fade-up" data-fragment-index="1">When done it's replicated across cluster</p>
<p class="fragment fade-up" data-fragment-index="2">For most cases blazingly fast</p>
</section>
</section>
<section id='API'>
<section id='API_0'>
<h4>Query API</h4>
</section>
<section id='API_1'>
<p>Simple example</p>
<pre><code class="hljs" data-line-numbers="1,3,4">GET /bank/_search
{
"query": { "match_all": {} },
"size": 1
}
</code></pre>
</section>
<section id='API_2'>
<p>Advanced example</p2>
</section>
<section id='API_3'>
<pre><code class="hljs" data-line-numbers>POST /bookdb_index/book/_search
{
"query": {
"bool": {
"must": {
"bool" : {
"should": [
{ "match": { "title": "Elasticsearch" }},
{ "match": { "title": "Solr" }}
],
"must": {
"match": {
"authors": "clinton gormely"
}
}
}
},
"must_not": {
"match": {
"authors": "radu gheorge"
}
}
}
}
}</code></pre>
</section>
<section id='API_3'>
<p>Fuzzy query</p>
<pre><code class="hljs" data-line-numbers>POST /bookdb_index/book/_search
{
"query": {
"multi_match" : {
"query" : "comprihensiv guide",
"fields": ["title", "summary"],
"fuzziness": "AUTO"
}
},
"_source": ["title", "summary", "publish_date"],
"size": 1
}</code></pre>
</section>
</section>
<section id='QA'>
<h4>QA</h4>
</section>
</div>
</div>
<script src="js/reveal.js"></script>
<script>
// More info about config & dependencies:
// - https://github.com/hakimel/reveal.js#configuration
// - https://github.com/hakimel/reveal.js#dependencies
Reveal.initialize({
slideNumber: true,
hash: true,
history: true,
width: 960,
height: 700,
navigationMode: "linear",
dependencies: [
{ src: 'plugin/markdown/marked.js' },
{ src: 'plugin/markdown/markdown.js' },
{ src: 'plugin/notes/notes.js', async: true },
{ src: 'plugin/highlight/highlight.js', async: true }
]
});
</script>
</body>
</html>