# Operate First Logs 

In this notebook, we will examine an json output of logs collected from our Operate First cluster on the MOC

In [1]:
import json
import pandas as pd
from pandas.io.json import json_normalize

Here we will load the sample data set stored in this repository at `data/raw/logs-ocp-moc-infra1-sample.json`. Details on how to get access to this data directly and prepare it for analysis in a jupyter notebook will be provided in a later notebook.

In [2]:
with open("../data/raw/logs-ocp-moc-infra1-sample.json") as f:
    data = json.load(f)

We know this is a fairly nested json lets take a look at its top level schema. Below, we can see that "hits.hits" is were the bulk of the data lives. Let's go ahead and drill down into that by printing out an example entry and having a look at the schema of the provided data.  

In [3]:
json_normalize(data)

Unnamed: 0,took,timed_out,_shards.total,_shards.successful,_shards.skipped,_shards.failed,hits.total,hits.max_score,hits.hits
0,4263,False,1,1,0,0,42226903,,"[{'_index': 'infra-000001', '_type': '_doc', '..."


In [4]:
data["hits"]["hits"][0]

{'_index': 'infra-000001',
 '_type': '_doc',
 '_id': 'YjcwMWIzMDctNjEyMy00OGM4LThhOGMtZTlhZTUxZjYyYTkx',
 '_score': None,
 '_source': {'docker': {'container_id': '320080ce67dc009f49d9674cebb957e896d4334b809acb38731001fd1951b816'},
  'kubernetes': {'container_name': 'verify-hostname',
   'namespace_name': 'openshift-kni-infra',
   'pod_name': 'mdns-publisher-os-sto-2',
   'pod_id': 'fef76c7c-fe11-435e-acfd-ee275a22a90e',
   'host': 'os-sto-2',
   'master_url': 'https://kubernetes.default.svc',
   'namespace_id': '49fe831a-2307-4029-b97a-a73f950a9a73',
   'namespace_labels': {'name': 'openshift-kni-infra',
    'openshift_io/run-level': '1'},
   'flat_labels': ['app=kni-infra-mdns']},
  'message': '    cat $RUNTIMECFG_HOSTNAME_PATH',
  'level': 'unknown',
  'hostname': 'os-sto-2',
  'pipeline_metadata': {'collector': {'ipaddr4': '192.12.185.132',
    'inputname': 'fluent-plugin-systemd',
    'name': 'fluentd',
    'received_at': '2021-01-27T20:30:23.576240+00:00',
    'version': '1.7.4 1.

Now that we can see all the additional data fields available to us for each log line, lets read it into a dataframe and get a sense of the distribution of values for each column

In [5]:
d = json_normalize(data["hits"]["hits"])
d.head()

Unnamed: 0,_index,_type,_id,_score,sort,_source.docker.container_id,_source.kubernetes.container_name,_source.kubernetes.namespace_name,_source.kubernetes.pod_name,_source.kubernetes.pod_id,...,_source.pipeline_metadata.collector.inputname,_source.pipeline_metadata.collector.name,_source.pipeline_metadata.collector.received_at,_source.pipeline_metadata.collector.version,_source.@timestamp,_source.viaq_msg_id,_source.kubernetes.container_image,_source.kubernetes.container_image_id,_source.kubernetes.namespace_labels.openshift_io/cluster-monitoring,_source.kubernetes.namespace_labels.network_openshift_io/policy-group
0,infra-000001,_doc,YjcwMWIzMDctNjEyMy00OGM4LThhOGMtZTlhZTUxZjYyYTkx,,[1605113545886],320080ce67dc009f49d9674cebb957e896d4334b809acb...,verify-hostname,openshift-kni-infra,mdns-publisher-os-sto-2,fef76c7c-fe11-435e-acfd-ee275a22a90e,...,fluent-plugin-systemd,fluentd,2021-01-27T20:30:23.576240+00:00,1.7.4 1.6.0,2020-11-11T16:52:25.886052+00:00,YjcwMWIzMDctNjEyMy00OGM4LThhOGMtZTlhZTUxZjYyYTkx,,,,
1,infra-000001,_doc,MGUwYzJjYjYtMzMxOC00ZWU3LWJlY2MtMTJmYjMyYjNiMzE2,,[1605113545886],320080ce67dc009f49d9674cebb957e896d4334b809acb...,verify-hostname,openshift-kni-infra,mdns-publisher-os-sto-2,fef76c7c-fe11-435e-acfd-ee275a22a90e,...,fluent-plugin-systemd,fluentd,2021-01-27T20:30:23.576490+00:00,1.7.4 1.6.0,2020-11-11T16:52:25.886174+00:00,MGUwYzJjYjYtMzMxOC00ZWU3LWJlY2MtMTJmYjMyYjNiMzE2,,,,
2,infra-000001,_doc,Y2FmZjJlNDUtYTJkMS00M2ZhLWE3MDctMjViYmIyZGFmMzRk,,[1605113545886],320080ce67dc009f49d9674cebb957e896d4334b809acb...,verify-hostname,openshift-kni-infra,mdns-publisher-os-sto-2,fef76c7c-fe11-435e-acfd-ee275a22a90e,...,fluent-plugin-systemd,fluentd,2021-01-27T20:30:23.576866+00:00,1.7.4 1.6.0,2020-11-11T16:52:25.886174+00:00,Y2FmZjJlNDUtYTJkMS00M2ZhLWE3MDctMjViYmIyZGFmMzRk,,,,
3,infra-000001,_doc,NmFkMTE1MjEtYTgyOS00ODJmLWI4ZTItMmViMWZmM2FlOTRm,,[1605113545886],320080ce67dc009f49d9674cebb957e896d4334b809acb...,verify-hostname,openshift-kni-infra,mdns-publisher-os-sto-2,fef76c7c-fe11-435e-acfd-ee275a22a90e,...,fluent-plugin-systemd,fluentd,2021-01-27T20:30:23.577231+00:00,1.7.4 1.6.0,2020-11-11T16:52:25.886174+00:00,NmFkMTE1MjEtYTgyOS00ODJmLWI4ZTItMmViMWZmM2FlOTRm,,,,
4,infra-000001,_doc,MmJlYjIxMjgtNzQ0Yy00NzFhLWE3N2MtNzYxMDhkNmYyMjg0,,[1605113545886],320080ce67dc009f49d9674cebb957e896d4334b809acb...,verify-hostname,openshift-kni-infra,mdns-publisher-os-sto-2,fef76c7c-fe11-435e-acfd-ee275a22a90e,...,fluent-plugin-systemd,fluentd,2021-01-27T20:30:23.577348+00:00,1.7.4 1.6.0,2020-11-11T16:52:25.886174+00:00,MmJlYjIxMjgtNzQ0Yy00NzFhLWE3N2MtNzYxMDhkNmYyMjg0,,,,


In [6]:
# two quick minor cleaning steps for df.describe function below
d["sort"] = d["sort"].apply(lambda x: x[0])
d["_source.kubernetes.flat_labels"] = d[
    "_source.kubernetes.flat_labels"
].apply(lambda x: " ".join(x))

In [7]:
d.columns

Index(['_index', '_type', '_id', '_score', 'sort',
       '_source.docker.container_id', '_source.kubernetes.container_name',
       '_source.kubernetes.namespace_name', '_source.kubernetes.pod_name',
       '_source.kubernetes.pod_id', '_source.kubernetes.host',
       '_source.kubernetes.master_url', '_source.kubernetes.namespace_id',
       '_source.kubernetes.namespace_labels.name',
       '_source.kubernetes.namespace_labels.openshift_io/run-level',
       '_source.kubernetes.flat_labels', '_source.message', '_source.level',
       '_source.hostname', '_source.pipeline_metadata.collector.ipaddr4',
       '_source.pipeline_metadata.collector.inputname',
       '_source.pipeline_metadata.collector.name',
       '_source.pipeline_metadata.collector.received_at',
       '_source.pipeline_metadata.collector.version', '_source.@timestamp',
       '_source.viaq_msg_id', '_source.kubernetes.container_image',
       '_source.kubernetes.container_image_id',
       '_source.kubernetes.namesp

In [8]:
t2 = pd.to_datetime(d["_source.@timestamp"][len(d) - 1])
t1 = pd.to_datetime(d["_source.@timestamp"][0])
print(t1)
print(t2)
print(t2 - t1)

2020-11-11 16:52:25.886052+00:00
2020-11-12 07:42:20.610002+00:00
0 days 14:49:54.723950


This particular data set contsitutes about 15 hours worth of logs between November 11th and 12th 2020. 

In [9]:
for i in d.columns:
    print(i)
    print(d[i].describe())
    print("\n")

_index
count             4198
unique               1
top       infra-000001
freq              4198
Name: _index, dtype: object


_type
count     4198
unique       1
top       _doc
freq      4198
Name: _type, dtype: object


_id
count                                                 4198
unique                                                4198
top       YTdiNWYwOTQtZmExZi00YjAxLTk0ZTItZTYzM2U0YzY3MWE2
freq                                                     1
Name: _id, dtype: object


_score
count       0
unique      0
top       NaN
freq      NaN
Name: _score, dtype: object


sort
count    4.198000e+03
mean     1.605140e+12
std      1.438565e+07
min      1.605114e+12
25%      1.605130e+12
50%      1.605137e+12
75%      1.605152e+12
max      1.605167e+12
Name: sort, dtype: float64


_source.docker.container_id
count                                                  4198
unique                                                   36
top       16002711f7a50ec1f58b6a4274a32a16703f78c489e960..

Now that we've looked at the different columns availble to us, let's go ahead and aggregate all the log messages by their pod and print out a sample set of logs.

In [21]:
d[["_source.kubernetes.pod_name", "_source.message"]].groupby(
    "_source.kubernetes.pod_name"
)["_source.message"].apply(list)

_source.kubernetes.pod_name
coredns-os-sto-2                                      ['''time='2020-11-11T165225Z' level=info msg='...
csi-cephfsplugin-vxkbf                                [I1111 18:37:17.313016       1 main.go:110] Ve...
csi-rbdplugin-69f9n                                   [I1111 18:37:17.309147  181203 main.go:110] Ve...
dns-default-jbm9m                                     [I1111 16:53:28.822629       1 main.go:186] Va...
keepalived-os-sto-2                                   ['''time='2020-11-11T165230Z' level=info msg='...
machine-config-daemon-mq4zb                           [I1111 16:53:00.178261    4288 start.go:74] Ve...
mdns-publisher-os-sto-2                               [    cat $RUNTIMECFG_HOSTNAME_PATH,     # if h...
multus-c9kjx                                          [Successfully copied files in /usr/src/multus-...
node-ca-dqvlh                                         [image-registry.openshift-image-registry.svc.....
node-exporter-x2ps5                 

In [22]:
logs = (
    d[["_source.kubernetes.pod_name", "_source.message"]]
    .groupby("_source.kubernetes.pod_name")["_source.message"]
    .apply(list)
)

In [23]:
logs.loc["machine-config-daemon-mq4zb"]

['I1111 16:53:00.178261    4288 start.go:74] Version: v4.5.0-202010230137.p0-dirty (3b284da53fa0fffd88d2825457ccc346a08a01e8)',
 "'''I1111 165300.184240    4288 start.go84] Calling chroot('/rootfs')'''",
 'I1111 16:53:00.184580    4288 rpm-ostree.go:369] Running captured: rpm-ostree status --json',
 'I1111 16:53:00.394364    4288 daemon.go:210] Booted osImageURL: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:5702da70ec55deb88af71a7d186caf6131452d6e8d3def37c88f0ccdcf49f1b9 (45.82.202010250529-0)',
 'I1111 16:53:00.397281    4288 metrics.go:106] Registering Prometheus metrics',
 'I1111 16:53:00.397401    4288 metrics.go:111] Starting metrics listener on 127.0.0.1:8797',
 'I1111 16:53:00.399386    4288 update.go:1419] Starting to manage node: os-sto-2',
 'I1111 16:53:00.404725    4288 rpm-ostree.go:369] Running captured: rpm-ostree status',
 'I1111 16:53:00.452237    4288 daemon.go:813] State: idle',
 'Deployments:',
 '* pivot://quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha25

### Conclusion

In this notebook, we have shown how to read a sample data set of logs from our operate first elasticsearch instance and provided some priliminary insight into the structure of the data and how to look at isolate logs by specific pods, or other identifiers.    