Enable multiple outputs for each input #725
Conversation
Signed-off-by: constanca <[email protected]>
Signed-off-by: constanca <[email protected]>
Signed-off-by: constanca <[email protected]>
Signed-off-by: constanca <[email protected]>
Signed-off-by: constanca <[email protected]>
Signed-off-by: constanca <[email protected]>
|
I want to see if there is any significant change in performance between our latest released version, lambda-v1.14.0, and the ESF created from this PR. To check this, I am going to trigger ESF based on messages coming to a cloudwatch logs group. This group is receiving some X number of events, then stops for 30s, and then the cycle repeats. The number of events doubles every 20 cycles. I let it run 100 cycles. Summarizing:
The message being sent is small sized, only 94b. I also want to check how long it takes to get a message from the cloudwatch groups to elasticsearch. Since ESF does not add to a document to ingest timestamp, I am going to add a default ingest pipeline and add that field in every document. You can add the ingest pipeline like this.I deployed ESF and updated the lambda 3 times:
So the first line in my graphics corresponds to first run, second line to second run, and third line to third run. The cloudwatch metrics for the ESF lambda function are these:
There is very little difference between the 3 ESFs and their configurations. For the 2 outputs configurations, the average duration slightly increased. This is to be expected, as now it needs to iterate over two outputs. I also computed the average latency using the field my ingest pipeline added. I am calculating the latency this way:
The latency for 1 output (the one that is common for all three runs) is like this: The latency for this output barely changed between my 3 runs. The second output (third run) has a bigger latency: This is to be expected as well. We can see that the minimum average latency is already past the latency of the first output. From this we can conclude that ESF sent the data to the first output first, and then it sent the data to this second output. They did not happen in parallel. My conclusions is that there is no significant change or decay in performance. However, the more outputs the user adds, the bigger the latency gets for each output. |
|
|
||
| # Let's wrap the specific output shipper in the composite one, since the composite deepcopy the mutating events | ||
| shipper: CompositeShipper = CompositeShipper() | ||
|
|
||
| if output_type == "elasticsearch": | ||
| if output.type == "elasticsearch": |
There was a problem hiding this comment.
I would suggest to either keep output.type or output_destination common in the whole doc
So output.type to become output.destination
There was a problem hiding this comment.
output.destination is the URL - either the cloud url or ES url. output.type can only be elasticsearch or logstash, they are different things @gizas
There was a problem hiding this comment.
Ok I had the impression that output.destination does not exist. Thanks for clarification
So destination should become output_url in general to denote the actual info of the variabble. But nw not important
|
|
||
| if output_type in self._outputs: | ||
| raise ValueError(f"Duplicated `type` {output_type}") | ||
| if output_type not in _available_output_types: |
There was a problem hiding this comment.
Same here to chaneg type with destination
There was a problem hiding this comment.
Same comment as before, output.type can only be elasticsearch or logstash, we use it to create the shipper, not the same as the destination
| elif output_type == "logstash": | ||
| if "logstash_url" not in kwargs: | ||
| raise ValueError(f"Output type {output_type} requires logstash_url to be set") | ||
| output_dest = kwargs["logstash_url"] |
There was a problem hiding this comment.
@gizas You can see in this line how the output destination is initiated
What does this PR do?
Each input can now have multiple outputs of the same
type. It cannot, however, have the same output specified more than once for each input - that is, it cannot have twoelasticsearchoutputs with the same destination. See section Results for examples.Why is it important?
See details on #721.
Checklist
CHANGELOG.mdHow to test this PR locally
Refer to https://github.com/elastic/elastic-serverless-forwarder/tree/main/how-to-test-locally.
Related issues
Relates to #721
Results
Example 1: Trying 2
elasticsearchoutputsI have an input with two
elasticsearchoutputs:I sent a log event from this input.
If I look at Discover in both clouds, I can see that both outputs got my message:
https://terraform-8b3bac.es.eu-central-1.aws.cloud.es.io:
https://terraform-2.es.europe-west4.gcp.elastic-cloud.com:
Example 2: Trying 2
elasticsearchoutputs with the same destinationI have an input with two
elasticsearchoutputs that are the same:This case fails, since we cannot have duplicated outputs (that is, output with the same destination for the same input):
Example 3: Checking message body in replay queue
The message body caused by an ingestion error should contain the
output_destination(instead ofoutput_typelike before). I am causing the placement of the message in the replay queue by using wrong authentication:Message in the replay queue:
{"output_destination":"https://terraform-8b3bac.es.eu-central-1.aws.cloud.es.io","output_args":{"es_datastream_name":"logs-esf.cloudwatch-default"},"event_payload":...