-
Notifications
You must be signed in to change notification settings - Fork 392
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improve and unify dimensions for Elastic-Agent and Beats metrics #8238
Conversation
🌐 Coverage report
|
3774ee2
to
58adc5a
Compare
Pinging @elastic/elastic-agent (Team:Elastic-Agent) |
packages/elastic_agent/data_stream/elastic_agent_metrics/fields/beat-stats-fields.yml
Show resolved
Hide resolved
packages/elastic_agent/data_stream/elastic_agent_metrics/fields/fields.yml
Show resolved
Hide resolved
The metrics from Elastic-Agent package define some time series but not enough dimensions for the entries to be unique. This commit adds new mappings and dimensions to make all metrics events unique as well as unifies the dimensions from Elastic-Agent and Beats
Add missing mappings for some other Beats
4a26ba6
to
0a619d0
Compare
The Elastic-Agent PR (elastic/elastic-agent#3626) has been merged and this PR is adding new mappings/settings, I did a quick test and did not find any issues with running an older version of Elastic-Agent with the changes introduced here. |
Package elastic_agent - 1.16.0 containing this change is available at https://epr.elastic.co/search?package=elastic_agent |
Proposed commit message
The metrics from Elastic-Agent package define some time series but
not enough dimensions for the entries to be unique. This commit adds
new mappings and dimensions to make all metrics events unique as well
as unifies the dimensions from Elastic-Agent and Beats.
Checklist
changelog.yml
file.Author's Checklist
Why do we need those new dimensions?
The combination of the dimension fields plus the timestamp field must be unique within the timeseries. In the case of the indexes used by the Elastic-Agent integration that will make Elasticsearch return 409 Conflict for the duplicated event.
This PR uses the following fields for metrics from Elastic-Agent and Beats:
agent.id
: Each deployed Elastic-Agent has got a unique ID, this ID is present in each event generated by its components, hence different Beats process share the same ID.component.id
: Each component run by Elastic-Agent has got a unique ID and each component run in a independent process, this is enough to to ensure different process using the same Beats binary will have unique IDsmetricset.name
: For each component we collect more than one set of metrics, so it is possible some of them are going to be have the same timestamp, which will lead to collisions. Having the metricset name as dimension ensures there will not be any collision. For some Beats we collect at leaststats
andstate
metricset (the input configuration can be seen here). We also collect ajson
metricset.Why was
service.address
removed?service.address
is frequently the same given the address can be a named pipe on Windows, e.g:#7977 contains more details about some possible collisions and how to avoid them.
How to test this PR locally
cd packages/elastic_agent elastic-package -v build
Clone the code from the branch
fix-tsdb-metrics
or the Elastic-Agent PR, the buildAdjust the
PLATFORMS
according to your system.metrics-*
dataview. The entries fromdata_stream.dataset: elastic_agent.*
sent by the Elastic-Agent you build (eg. you can also filter byhost.name
) should all contain acomponent.id
field.Bonus: Testing with Logstash
Testing with Logstash has got the advantage that Logstash will log 409s from Elasticsearch, making it clear the fields are correctly ingested in Elasticsearch. However, this PR alone is not enough to prevent the 409s happening, you will need to also use the Elastic-Agent build mentioned above (see step 3).
First you need to configure Logstash to get receive data from Elastic-Agent and send it to Elasticsearch. For this test the easiest way to get a Stack running is to use
elastic-package
, it will also enable you to deploy the customelastic-agent
integration from the PR mentioned above.Here is a configuration for Logstash, it uses some self generated certificates and the default credentials from Elastic-Pakcage.
logstash-sample.conf
component.id
andcomponent.binary
are set for events that matchdata_stream.dataset: elastic_agent.*
Important:
Make sure your Elastic-Agent can resolve the hostnames the elastic-package stack uses, on Linux add this to your
/etc/hosts
Related issues
## Screenshots