Add Slowlog fileset for the Elasticsearch module #7473
Conversation
CHANGELOG.asciidoc
Outdated
| @@ -205,6 +205,7 @@ https://github.com/elastic/beats/compare/v6.2.3...master[Check the HEAD diff] | |||
| - Converted part of pipeline from treafik/access metricSet to dissect to improve efficeny. {pull}7209[7209] | |||
| - Add GC fileset to the Elasticsearch module. {pull}7305[7305] | |||
| - Add Audit log fileset to the Elasticsearch module. {pull}7365[7365] | |||
| - Add Slow log fileset to the Elasticsearch module. | |||
There was a problem hiding this comment.
Yes, already prepared for commit.
| example: "[2018-06-29T10:06:14,933][INFO ][index.search.slowlog.query] [v_VJhjV] [metricbeat-6.3.0-2018.06.26][0] took[4.5ms], took_millis[4], total_hits[19435], types[], stats[], search_type[QUERY_THEN_FETCH], total_shards[1], source[{\"query\":{\"match_all\":{\"boost\":1.0}}}]," | ||
| type: group | ||
| fields: | ||
| - name: loglevel |
There was a problem hiding this comment.
This should to under log.level. Already exists so does not have to be added.
| description: "Logger name" | ||
| example: "index.search.slowlog.fetch" | ||
| type: keyword | ||
| - name: node_name |
| description: "Name of the node" | ||
| example: "v_VJhjV" | ||
| type: keyword | ||
| - name: index_name |
There was a problem hiding this comment.
elasticsearch.index.name
We need to check if these two fields already exist or have to be added in Filebeat.
| description: "Name of the index" | ||
| example: "metricbeat-6.3.0-2018.06.26" | ||
| type: keyword | ||
| - name: shard_id |
There was a problem hiding this comment.
I think elasticsearch.shard.id (need to check Metricbeat)
| type: keyword | ||
| - name: took | ||
| description: "Time it took to execute the query" | ||
| example: "300ms" |
There was a problem hiding this comment.
Is this always in ms, meaning we could extract the value?
| description: "Extra source information" | ||
| example: "" | ||
| type: text | ||
| - name: took_millis |
| description: "Time took in milliseconds" | ||
| example: 42 | ||
| type: keyword | ||
| - name: total_hits |
There was a problem hiding this comment.
total.hits
total.shards
Or hits.total and shards.total? Not sure TBH
| default: | ||
| - /var/log/elasticsearch/*_index_search_slowlog.log | ||
| os.darwin: | ||
| - /usr/local/elasticsearch/*_index_search_slowlog.log |
There was a problem hiding this comment.
What is the value of the * here? Does it contain info like cluster id or node id?
This is the initial PR for slowlog indexing