Add deriving metrics from logs use case to Data Prepper #6248
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,58 @@ | ||
| --- | ||
| layout: default | ||
| title: Deriving metrics from logs | ||
| parent: Common use cases | ||
| nav_order: 15 | ||
| --- | ||
|
|
||
| # Deriving metrics from logs | ||
|
|
||
| You can use Data Prepper to derive metrics from logs. The following example pipeline receives incoming logs using the [`http` source plugin]({{site.url}}{{site.baseurl}}/data-prepper/pipelines/configuration/sources/http-source) and the [`grok` processor]({{site.url}}{{site.baseurl}}/data-prepper/pipelines/configuration/processors/grok/). It then uses the [`aggregate` processor]({{site.url}}{{site.baseurl}}/data-prepper/pipelines/configuration/processors/aggregate/) to extract the metric bytes aggregated during a 30-second window and derives histograms from the results. | ||
|
|
||
| The overall pipeline contains two pipelines: | ||
|
There was a problem hiding this comment. "main" or "primary" instead of "overall"?
vagimeli marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
| - `apache-log-pipeline-with-metrics` -- Receives logs through an HTTP client like FluentBit, uses `grok` to extract important values from the logs by matching the value in the `log` key against the [Apache Common Log Format](https://httpd.apache.org/docs/2.4/logs.html#accesslog), and then forwards the grokked logs to both the `log-to-metrics-pipeline` pipeline and to an OpenSearch index named `logs`. | ||
|
|
||
| - `log-to-metrics-pipeline` -- Receives the grokked logs from the `apache-log-pipeline-with-metrics` pipeline, aggregates the logs, and derives histogram metrics of `bytes` based on the values in the `clientip` and `request` keys. Finally, it sends the histogram metrics to an OpenSearch index named `histogram_metrics`. | ||
|
|
||
| ```json | ||
| apache-log-pipeline-with-metrics: | ||
| source: | ||
| http: | ||
| # Provide the path for ingestion. ${pipelineName} will be replaced with pipeline name configured for this pipeline. | ||
| # In this case it would be "/apache-log-pipeline-with-metrics/logs". This will be the FluentBit output URI value. | ||
| path: "/${pipelineName}/logs" | ||
| processor: | ||
| - grok: | ||
| match: | ||
| log: [ "%{COMMONAPACHELOG_DATATYPED}" ] | ||
| sink: | ||
| - opensearch: | ||
| ... | ||
| index: "logs" | ||
| - pipeline: | ||
| name: "log-to-metrics-pipeline" | ||
|
|
||
| log-to-metrics-pipeline: | ||
| source: | ||
| pipeline: | ||
| name: "apache-log-pipeline-with-metrics" | ||
| processor: | ||
| - aggregate: | ||
| # Specify the required identification keys | ||
| identification_keys: ["clientip", "request"] | ||
| action: | ||
| histogram: | ||
| # Specify the appropriate values for each of the following fields | ||
| key: "bytes" | ||
| record_minmax: true | ||
| units: "bytes" | ||
| buckets: [0, 25000000, 50000000, 75000000, 100000000] | ||
| # Pick the required aggregation period | ||
| group_duration: "30s" | ||
| sink: | ||
| - opensearch: | ||
| ... | ||
| index: "histogram_metrics" | ||
| ``` | ||
| {% include copy-curl.html %} | ||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This writes data to two indexes - one with un-aggregated events and the other derived metrics.
Can we clarify somewhere? You mention below how we use two pipelines. But, maybe we can make this end result more explicit.