Looking for community input.
We'd like Telegraf to have some integration with logstash. Not being a user of logstash myself, what should this look like? An output that can send arbitrary telegraf data to logstash, or a plugin that could consume logstash output and forward to InfluxDB?
sparrc
All 12 comments
I'm a pretty heavy logstash user. I think it would be cool to do both if possible but I favor a pure output. Since logstash is a great router to different services, it could in itself send to InfluxDB as logstash output.
It could be alot like the Kafka/NSQ output. With it being formatted into the logstash protocol. Since we already using tags, that can be an exact mapping for logstash. Type configured from the configuration file, defaulting to telegraf. I'm unsure if anyone has created a codec in logstash for the new line protocol yet.
Additionally we do have outputs that logstash uses as inputs very heavily amqp,kafka,redis. It could just be as simple as adding the logstash protocol option to those. Its not very often you will directly send to logstash without a broker in the middle.
jrxFive
on 28 Oct 2015
@sparrc, any suggestion on which direction? I probably have some time to start this.
jrxFive
on 11 Nov 2015
@jrxFive Sorry I missed this comment. I think that supporting the logstash encoding would be good. I was recently thinking about ways to do this, one option would be to have "protocol" plugins that could parse the client.Point object to various different protocols, such as logstash. Currently we pretty much just do line-protocol, JSON would be easy and an obvious one to support as well.
So let me think on how that would look architecturally, it would be nice if users could plug different protocols into input and output plugins adhoc.
sparrc
on 22 Jan 2016
The current output in logstash does not work well. We have experienced issues where influx drops data because the logstash output does not backoff when influx is busy. I am assuming Telegraf knows to do so? So a plugin that consumes logstash output would be nice.
sslupsky
on 19 Feb 2016
@sslupsky what do you mean by "busy"?
zstyblik
on 20 Feb 2016
@zstyblik When Influx cannot accept data, it throws a 500 error. When it does that you need to back off for a while. Unfortunately, the influx output for logstash does not back off and keeps shoving data at influx.
My developer mentioned that if the influx plugin for logstash was a codec, then he thought maybe you could use the logstash http output to send data to influx instead.
sslupsky
on 20 Feb 2016
@sslupsky I see and thank you for explanation. As for http plugin in logstash, it doesn't allow batching as far as my experience goes :-s
zstyblik
on 20 Feb 2016
@sparrc another idea for logstash integration could be to integrate with elastic's beates framework. It's also written in go so the integration may not be that difficult. The beats framework knows how to ship data to various outputs including logstash and elasticsearch and does some nice things like reducing the send frequency when logstash/elasticsearch are "busy". We would be very interested in a logstash output plugin.
deanefrati
on 13 Mar 2016
Having Kafka as a middle man for both Input and Output plugins in Logstash would be in my opinion the best way. Solves all possible performance problems.
Another use case for a Logstash integration would be a InfluxDB filter. That way you could configure Logstash to query InfluxDB when a certain event comes in. For example if an error message comes in it could query InfluxDB for current active sessions, average sessions for the past 10 minutes and for the past 60 minutes.
elvarb
on 12 Apr 2016
@sparrc
Is this will handle aggregation also, Please take a look at this https://github.com/influxdata/telegraf/issues/1349 ?
alimousazy
on 8 Jun 2016
aggregation will not be specific to any one plugin, see #380
sparrc
on 8 Jun 2016
If you want specific events from logstash into InfluxDB then you can also use this output configuration in Logstash:
# Output HTTP access log info to Telegraf TCP listener which ends up in InfluxDB
if "http-access" in [type] {
tcp {
host => "127.0.0.1"
port => 8094
codec => line {
format => "http_access,program=%{program},host=%{host},vhost=%{vhost},port=%{port},status=%{status},scheme=%{scheme},method=%{method},severity=%{severity} bytes=%{bytes}i,duration=%{duration},count=1i %{@timestamp_ns}"
}
}
}
You'll need this in your filter section as well:
if [@timestamp] {
ruby {
# event.get('@timestamp').time is an object of class 'Time'
# See http://ruby-doc.org/core-2.2.0/Time.html for details
# Convert to rational number (fraction) and multiple with 1e9, store as integer
code => "event.set('@timestamp_ns', ( event.get('@timestamp').time.to_r * 1000000000 ).to_i )"
}
}
robinsmidsrod
on 10 May 2017
Related issues
robert-gomes
路
3Comments
chench00
路
3Comments
hluaces
路
3Comments
veerendra2
路
3Comments
Isonami
路
3Comments
Most helpful comment
@sparrc another idea for logstash integration could be to integrate with elastic's beates framework. It's also written in go so the integration may not be that difficult. The beats framework knows how to ship data to various outputs including logstash and elasticsearch and does some nice things like reducing the send frequency when logstash/elasticsearch are "busy". We would be very interested in a logstash output plugin.