|
|
@@ -4,10 +4,22 @@
|
|
|
<titleabbrev>Run downsampling manually</titleabbrev>
|
|
|
++++
|
|
|
|
|
|
-This is a simplified example that allows you to see quickly how
|
|
|
-<<downsampling,downsampling>> works to reduce the storage size of a time series
|
|
|
-index. The example uses typical Kubernetes cluster monitoring data. To test out
|
|
|
-downsampling, follow these steps:
|
|
|
+////
|
|
|
+[source,console]
|
|
|
+----
|
|
|
+DELETE _data_stream/my-data-stream
|
|
|
+DELETE _index_template/my-data-stream-template
|
|
|
+DELETE _ingest/pipeline/my-timestamp-pipeline
|
|
|
+----
|
|
|
+// TEARDOWN
|
|
|
+////
|
|
|
+
|
|
|
+The recommended way to downsample a time series data stream (TSDS) is
|
|
|
+<<downsampling-ilm,through index lifecycle management (ILM)>>. However, if
|
|
|
+you're not using ILM, you can downsample a TSDS manually. This guide shows you
|
|
|
+how, using typical Kubernetes cluster monitoring data.
|
|
|
+
|
|
|
+To test out manual downsampling, follow these steps:
|
|
|
|
|
|
. Check the <<downsampling-manual-prereqs,prerequisites>>.
|
|
|
. <<downsampling-manual-create-index>>.
|
|
|
@@ -19,28 +31,25 @@ downsampling, follow these steps:
|
|
|
[[downsampling-manual-prereqs]]
|
|
|
==== Prerequisites
|
|
|
|
|
|
-Refer to <<tsds-prereqs,time series data stream prerequisites>>.
|
|
|
-
|
|
|
-For the example you need a sample data file. Download the file from link:
|
|
|
-https://static-www.elastic.co/v3/assets/bltefdd0b53724fa2ce/bltf2fe7a300c3c59f7/631b4bc5cc56115de2f58e8c/sample-k8s-metrics.json[here]
|
|
|
-and save it in the local directory where you're running {es}.
|
|
|
+* Refer to the <<tsds-prereqs,TSDS prerequisites>>.
|
|
|
+* It is not possible to downsample a data stream directly, nor
|
|
|
+multiple indices at once. It's only possible to downsample one time series index
|
|
|
+(TSDS backing index).
|
|
|
+* In order to downsample an index, it needs to be read-only. For a TSDS write
|
|
|
+index, this means it needs to be rolled over and made read-only first.
|
|
|
+* Downsampling uses UTC timestamps.
|
|
|
+* Downsampling needs at least one metric field to exist in the time series
|
|
|
+index.
|
|
|
|
|
|
[discrete]
|
|
|
[[downsampling-manual-create-index]]
|
|
|
-==== Create a time series index
|
|
|
+==== Create a time series data stream
|
|
|
|
|
|
-This creates an index for a basic data stream. The available parameters for an
|
|
|
-index are described in detail in <<set-up-a-data-stream,Set up a time series
|
|
|
-data stream>>.
|
|
|
-
|
|
|
-The time series boundaries are set so that sampling data for the index begins at
|
|
|
-`2022-06-10T00:00:00Z` and ends at `2022-06-30T23:59:59Z`.
|
|
|
-
|
|
|
-For simplicity, in the time series mapping all `time_series_metric` parameters
|
|
|
-are set to type `gauge`, but <<time-series-metric,other values>> such as
|
|
|
-`counter` and `histogram` may also be used. The `time_series_metric` values
|
|
|
-determine the kind of statistical representations that are used during
|
|
|
-downsampling.
|
|
|
+First, you'll create a TSDS. For simplicity, in the time series mapping all
|
|
|
+`time_series_metric` parameters are set to type `gauge`, but
|
|
|
+<<time-series-metric,other values>> such as `counter` and `histogram` may also
|
|
|
+be used. The `time_series_metric` values determine the kind of statistical
|
|
|
+representations that are used during downsampling.
|
|
|
|
|
|
The index template includes a set of static
|
|
|
<<time-series-dimension,time series dimensions>>: `host`, `namespace`,
|
|
|
@@ -49,258 +58,241 @@ downsampling process.
|
|
|
|
|
|
[source,console]
|
|
|
----
|
|
|
-PUT /sample-01
|
|
|
+PUT _index_template/my-data-stream-template
|
|
|
{
|
|
|
+ "index_patterns": [
|
|
|
+ "my-data-stream*"
|
|
|
+ ],
|
|
|
+ "data_stream": {},
|
|
|
+ "template": {
|
|
|
"settings": {
|
|
|
- "index": {
|
|
|
- "mode": "time_series",
|
|
|
- "time_series": {
|
|
|
- "start_time": "2022-06-10T00:00:00Z",
|
|
|
- "end_time": "2022-06-30T23:59:59Z"
|
|
|
- },
|
|
|
- "routing_path": [
|
|
|
- "kubernetes.namespace",
|
|
|
- "kubernetes.host",
|
|
|
- "kubernetes.node",
|
|
|
- "kubernetes.pod"
|
|
|
- ],
|
|
|
- "number_of_replicas": 0,
|
|
|
- "number_of_shards": 2
|
|
|
- }
|
|
|
+ "index": {
|
|
|
+ "mode": "time_series",
|
|
|
+ "routing_path": [
|
|
|
+ "kubernetes.namespace",
|
|
|
+ "kubernetes.host",
|
|
|
+ "kubernetes.node",
|
|
|
+ "kubernetes.pod"
|
|
|
+ ],
|
|
|
+ "number_of_replicas": 0,
|
|
|
+ "number_of_shards": 2
|
|
|
+ }
|
|
|
},
|
|
|
"mappings": {
|
|
|
- "properties": {
|
|
|
- "@timestamp": {
|
|
|
- "type": "date"
|
|
|
- },
|
|
|
- "kubernetes": {
|
|
|
- "properties": {
|
|
|
- "container": {
|
|
|
- "properties": {
|
|
|
- "cpu": {
|
|
|
- "properties": {
|
|
|
- "usage": {
|
|
|
- "properties": {
|
|
|
- "core": {
|
|
|
- "properties": {
|
|
|
- "ns": {
|
|
|
- "type": "long"
|
|
|
- }
|
|
|
- }
|
|
|
- },
|
|
|
- "limit": {
|
|
|
- "properties": {
|
|
|
- "pct": {
|
|
|
- "type": "float"
|
|
|
- }
|
|
|
- }
|
|
|
- },
|
|
|
- "nanocores": {
|
|
|
- "type": "long",
|
|
|
- "time_series_metric": "gauge"
|
|
|
- },
|
|
|
- "node": {
|
|
|
- "properties": {
|
|
|
- "pct": {
|
|
|
- "type": "float"
|
|
|
- }
|
|
|
- }
|
|
|
- }
|
|
|
- }
|
|
|
- }
|
|
|
- }
|
|
|
- },
|
|
|
- "memory": {
|
|
|
- "properties": {
|
|
|
- "available": {
|
|
|
- "properties": {
|
|
|
- "bytes": {
|
|
|
- "type": "long",
|
|
|
- "time_series_metric": "gauge"
|
|
|
- }
|
|
|
- }
|
|
|
- },
|
|
|
- "majorpagefaults": {
|
|
|
- "type": "long"
|
|
|
- },
|
|
|
- "pagefaults": {
|
|
|
- "type": "long",
|
|
|
- "time_series_metric": "gauge"
|
|
|
- },
|
|
|
- "rss": {
|
|
|
- "properties": {
|
|
|
- "bytes": {
|
|
|
- "type": "long",
|
|
|
- "time_series_metric": "gauge"
|
|
|
- }
|
|
|
- }
|
|
|
- },
|
|
|
- "usage": {
|
|
|
- "properties": {
|
|
|
- "bytes": {
|
|
|
- "type": "long",
|
|
|
- "time_series_metric": "gauge"
|
|
|
- },
|
|
|
- "limit": {
|
|
|
- "properties": {
|
|
|
- "pct": {
|
|
|
- "type": "float"
|
|
|
- }
|
|
|
- }
|
|
|
- },
|
|
|
- "node": {
|
|
|
- "properties": {
|
|
|
- "pct": {
|
|
|
- "type": "float"
|
|
|
- }
|
|
|
- }
|
|
|
- }
|
|
|
- }
|
|
|
- },
|
|
|
- "workingset": {
|
|
|
- "properties": {
|
|
|
- "bytes": {
|
|
|
- "type": "long",
|
|
|
- "time_series_metric": "gauge"
|
|
|
- }
|
|
|
- }
|
|
|
- }
|
|
|
- }
|
|
|
- },
|
|
|
- "name": {
|
|
|
- "type": "keyword"
|
|
|
- },
|
|
|
- "start_time": {
|
|
|
- "type": "date"
|
|
|
+ "properties": {
|
|
|
+ "@timestamp": {
|
|
|
+ "type": "date"
|
|
|
+ },
|
|
|
+ "kubernetes": {
|
|
|
+ "properties": {
|
|
|
+ "container": {
|
|
|
+ "properties": {
|
|
|
+ "cpu": {
|
|
|
+ "properties": {
|
|
|
+ "usage": {
|
|
|
+ "properties": {
|
|
|
+ "core": {
|
|
|
+ "properties": {
|
|
|
+ "ns": {
|
|
|
+ "type": "long"
|
|
|
+ }
|
|
|
+ }
|
|
|
+ },
|
|
|
+ "limit": {
|
|
|
+ "properties": {
|
|
|
+ "pct": {
|
|
|
+ "type": "float"
|
|
|
}
|
|
|
+ }
|
|
|
+ },
|
|
|
+ "nanocores": {
|
|
|
+ "type": "long",
|
|
|
+ "time_series_metric": "gauge"
|
|
|
+ },
|
|
|
+ "node": {
|
|
|
+ "properties": {
|
|
|
+ "pct": {
|
|
|
+ "type": "float"
|
|
|
+ }
|
|
|
+ }
|
|
|
+ }
|
|
|
+ }
|
|
|
+ }
|
|
|
+ }
|
|
|
+ },
|
|
|
+ "memory": {
|
|
|
+ "properties": {
|
|
|
+ "available": {
|
|
|
+ "properties": {
|
|
|
+ "bytes": {
|
|
|
+ "type": "long",
|
|
|
+ "time_series_metric": "gauge"
|
|
|
}
|
|
|
+ }
|
|
|
},
|
|
|
- "host": {
|
|
|
- "type": "keyword",
|
|
|
- "time_series_dimension": true
|
|
|
+ "majorpagefaults": {
|
|
|
+ "type": "long"
|
|
|
},
|
|
|
- "namespace": {
|
|
|
- "type": "keyword",
|
|
|
- "time_series_dimension": true
|
|
|
+ "pagefaults": {
|
|
|
+ "type": "long",
|
|
|
+ "time_series_metric": "gauge"
|
|
|
},
|
|
|
- "node": {
|
|
|
- "type": "keyword",
|
|
|
- "time_series_dimension": true
|
|
|
+ "rss": {
|
|
|
+ "properties": {
|
|
|
+ "bytes": {
|
|
|
+ "type": "long",
|
|
|
+ "time_series_metric": "gauge"
|
|
|
+ }
|
|
|
+ }
|
|
|
},
|
|
|
- "pod": {
|
|
|
- "type": "keyword",
|
|
|
- "time_series_dimension": true
|
|
|
+ "usage": {
|
|
|
+ "properties": {
|
|
|
+ "bytes": {
|
|
|
+ "type": "long",
|
|
|
+ "time_series_metric": "gauge"
|
|
|
+ },
|
|
|
+ "limit": {
|
|
|
+ "properties": {
|
|
|
+ "pct": {
|
|
|
+ "type": "float"
|
|
|
+ }
|
|
|
+ }
|
|
|
+ },
|
|
|
+ "node": {
|
|
|
+ "properties": {
|
|
|
+ "pct": {
|
|
|
+ "type": "float"
|
|
|
+ }
|
|
|
+ }
|
|
|
+ }
|
|
|
+ }
|
|
|
+ },
|
|
|
+ "workingset": {
|
|
|
+ "properties": {
|
|
|
+ "bytes": {
|
|
|
+ "type": "long",
|
|
|
+ "time_series_metric": "gauge"
|
|
|
+ }
|
|
|
+ }
|
|
|
}
|
|
|
+ }
|
|
|
+ },
|
|
|
+ "name": {
|
|
|
+ "type": "keyword"
|
|
|
+ },
|
|
|
+ "start_time": {
|
|
|
+ "type": "date"
|
|
|
}
|
|
|
+ }
|
|
|
+ },
|
|
|
+ "host": {
|
|
|
+ "type": "keyword",
|
|
|
+ "time_series_dimension": true
|
|
|
+ },
|
|
|
+ "namespace": {
|
|
|
+ "type": "keyword",
|
|
|
+ "time_series_dimension": true
|
|
|
+ },
|
|
|
+ "node": {
|
|
|
+ "type": "keyword",
|
|
|
+ "time_series_dimension": true
|
|
|
+ },
|
|
|
+ "pod": {
|
|
|
+ "type": "keyword",
|
|
|
+ "time_series_dimension": true
|
|
|
}
|
|
|
+ }
|
|
|
}
|
|
|
+ }
|
|
|
}
|
|
|
+ }
|
|
|
}
|
|
|
-
|
|
|
----
|
|
|
|
|
|
[discrete]
|
|
|
[[downsampling-manual-ingest-data]]
|
|
|
==== Ingest time series data
|
|
|
|
|
|
-In a terminal window with {es} running, run the following curl command to load
|
|
|
-the documents from the downloaded sample data file:
|
|
|
+Because time series data streams have been designed to
|
|
|
+<<tsds-accepted-time-range,only accept recent data>>, in this example, you'll
|
|
|
+use an ingest pipeline to time-shift the data as it gets indexed. As a result,
|
|
|
+the indexed data will have an `@timestamp` from the last 15 minutes.
|
|
|
+
|
|
|
+Create the pipeline with this request:
|
|
|
|
|
|
-[source,sh]
|
|
|
+[source,console]
|
|
|
----
|
|
|
-curl -s -H "Content-Type: application/json" \
|
|
|
- -XPOST http://<elasticsearch-node>/sample-01/_bulk?pretty \
|
|
|
- --data-binary @sample-k8s-metrics.json
|
|
|
+PUT _ingest/pipeline/my-timestamp-pipeline
|
|
|
+{
|
|
|
+ "description": "Shifts the @timestamp to the last 15 minutes",
|
|
|
+ "processors": [
|
|
|
+ {
|
|
|
+ "set": {
|
|
|
+ "field": "ingest_time",
|
|
|
+ "value": "{{_ingest.timestamp}}"
|
|
|
+ }
|
|
|
+ },
|
|
|
+ {
|
|
|
+ "script": {
|
|
|
+ "lang": "painless",
|
|
|
+ "source": """
|
|
|
+ def delta = ChronoUnit.SECONDS.between(
|
|
|
+ ZonedDateTime.parse("2022-06-21T15:49:00Z"),
|
|
|
+ ZonedDateTime.parse(ctx["ingest_time"])
|
|
|
+ );
|
|
|
+ ctx["@timestamp"] = ZonedDateTime.parse(ctx["@timestamp"]).plus(delta,ChronoUnit.SECONDS).toString();
|
|
|
+ """
|
|
|
+ }
|
|
|
+ }
|
|
|
+ ]
|
|
|
+}
|
|
|
----
|
|
|
-// NOTCONSOLE
|
|
|
+// TEST[continued]
|
|
|
|
|
|
-Approximately 18,000 documents are added. Check the search results for the newly
|
|
|
-ingested data:
|
|
|
+Next, use a bulk API request to automatically create your TSDS and index a set
|
|
|
+of ten documents:
|
|
|
|
|
|
[source,console]
|
|
|
----
|
|
|
-GET /sample-01*/_search
|
|
|
+PUT /my-data-stream/_bulk?refresh&pipeline=my-timestamp-pipeline
|
|
|
+{"create": {}}
|
|
|
+{"@timestamp":"2022-06-21T15:49:00Z","kubernetes":{"host":"gke-apps-0","node":"gke-apps-0-0","pod":"gke-apps-0-0-0","container":{"cpu":{"usage":{"nanocores":91153,"core":{"ns":12828317850},"node":{"pct":2.77905e-05},"limit":{"pct":2.77905e-05}}},"memory":{"available":{"bytes":463314616},"usage":{"bytes":307007078,"node":{"pct":0.01770037710617187},"limit":{"pct":9.923134671484496e-05}},"workingset":{"bytes":585236},"rss":{"bytes":102728},"pagefaults":120901,"majorpagefaults":0},"start_time":"2021-03-30T07:59:06Z","name":"container-name-44"},"namespace":"namespace26"}}
|
|
|
+{"create": {}}
|
|
|
+{"@timestamp":"2022-06-21T15:45:50Z","kubernetes":{"host":"gke-apps-0","node":"gke-apps-0-0","pod":"gke-apps-0-0-0","container":{"cpu":{"usage":{"nanocores":124501,"core":{"ns":12828317850},"node":{"pct":2.77905e-05},"limit":{"pct":2.77905e-05}}},"memory":{"available":{"bytes":982546514},"usage":{"bytes":360035574,"node":{"pct":0.01770037710617187},"limit":{"pct":9.923134671484496e-05}},"workingset":{"bytes":1339884},"rss":{"bytes":381174},"pagefaults":178473,"majorpagefaults":0},"start_time":"2021-03-30T07:59:06Z","name":"container-name-44"},"namespace":"namespace26"}}
|
|
|
+{"create": {}}
|
|
|
+{"@timestamp":"2022-06-21T15:44:50Z","kubernetes":{"host":"gke-apps-0","node":"gke-apps-0-0","pod":"gke-apps-0-0-0","container":{"cpu":{"usage":{"nanocores":38907,"core":{"ns":12828317850},"node":{"pct":2.77905e-05},"limit":{"pct":2.77905e-05}}},"memory":{"available":{"bytes":862723768},"usage":{"bytes":379572388,"node":{"pct":0.01770037710617187},"limit":{"pct":9.923134671484496e-05}},"workingset":{"bytes":431227},"rss":{"bytes":386580},"pagefaults":233166,"majorpagefaults":0},"start_time":"2021-03-30T07:59:06Z","name":"container-name-44"},"namespace":"namespace26"}}
|
|
|
+{"create": {}}
|
|
|
+{"@timestamp":"2022-06-21T15:44:40Z","kubernetes":{"host":"gke-apps-0","node":"gke-apps-0-0","pod":"gke-apps-0-0-0","container":{"cpu":{"usage":{"nanocores":86706,"core":{"ns":12828317850},"node":{"pct":2.77905e-05},"limit":{"pct":2.77905e-05}}},"memory":{"available":{"bytes":567160996},"usage":{"bytes":103266017,"node":{"pct":0.01770037710617187},"limit":{"pct":9.923134671484496e-05}},"workingset":{"bytes":1724908},"rss":{"bytes":105431},"pagefaults":233166,"majorpagefaults":0},"start_time":"2021-03-30T07:59:06Z","name":"container-name-44"},"namespace":"namespace26"}}
|
|
|
+{"create": {}}
|
|
|
+{"@timestamp":"2022-06-21T15:44:00Z","kubernetes":{"host":"gke-apps-0","node":"gke-apps-0-0","pod":"gke-apps-0-0-0","container":{"cpu":{"usage":{"nanocores":150069,"core":{"ns":12828317850},"node":{"pct":2.77905e-05},"limit":{"pct":2.77905e-05}}},"memory":{"available":{"bytes":639054643},"usage":{"bytes":265142477,"node":{"pct":0.01770037710617187},"limit":{"pct":9.923134671484496e-05}},"workingset":{"bytes":1786511},"rss":{"bytes":189235},"pagefaults":138172,"majorpagefaults":0},"start_time":"2021-03-30T07:59:06Z","name":"container-name-44"},"namespace":"namespace26"}}
|
|
|
+{"create": {}}
|
|
|
+{"@timestamp":"2022-06-21T15:42:40Z","kubernetes":{"host":"gke-apps-0","node":"gke-apps-0-0","pod":"gke-apps-0-0-0","container":{"cpu":{"usage":{"nanocores":82260,"core":{"ns":12828317850},"node":{"pct":2.77905e-05},"limit":{"pct":2.77905e-05}}},"memory":{"available":{"bytes":854735585},"usage":{"bytes":309798052,"node":{"pct":0.01770037710617187},"limit":{"pct":9.923134671484496e-05}},"workingset":{"bytes":924058},"rss":{"bytes":110838},"pagefaults":259073,"majorpagefaults":0},"start_time":"2021-03-30T07:59:06Z","name":"container-name-44"},"namespace":"namespace26"}}
|
|
|
+{"create": {}}
|
|
|
+{"@timestamp":"2022-06-21T15:42:10Z","kubernetes":{"host":"gke-apps-0","node":"gke-apps-0-0","pod":"gke-apps-0-0-0","container":{"cpu":{"usage":{"nanocores":153404,"core":{"ns":12828317850},"node":{"pct":2.77905e-05},"limit":{"pct":2.77905e-05}}},"memory":{"available":{"bytes":279586406},"usage":{"bytes":214904955,"node":{"pct":0.01770037710617187},"limit":{"pct":9.923134671484496e-05}},"workingset":{"bytes":1047265},"rss":{"bytes":91914},"pagefaults":302252,"majorpagefaults":0},"start_time":"2021-03-30T07:59:06Z","name":"container-name-44"},"namespace":"namespace26"}}
|
|
|
+{"create": {}}
|
|
|
+{"@timestamp":"2022-06-21T15:40:20Z","kubernetes":{"host":"gke-apps-0","node":"gke-apps-0-0","pod":"gke-apps-0-0-0","container":{"cpu":{"usage":{"nanocores":125613,"core":{"ns":12828317850},"node":{"pct":2.77905e-05},"limit":{"pct":2.77905e-05}}},"memory":{"available":{"bytes":822782853},"usage":{"bytes":100475044,"node":{"pct":0.01770037710617187},"limit":{"pct":9.923134671484496e-05}},"workingset":{"bytes":2109932},"rss":{"bytes":278446},"pagefaults":74843,"majorpagefaults":0},"start_time":"2021-03-30T07:59:06Z","name":"container-name-44"},"namespace":"namespace26"}}
|
|
|
+{"create": {}}
|
|
|
+{"@timestamp":"2022-06-21T15:40:10Z","kubernetes":{"host":"gke-apps-0","node":"gke-apps-0-0","pod":"gke-apps-0-0-0","container":{"cpu":{"usage":{"nanocores":100046,"core":{"ns":12828317850},"node":{"pct":2.77905e-05},"limit":{"pct":2.77905e-05}}},"memory":{"available":{"bytes":567160996},"usage":{"bytes":362826547,"node":{"pct":0.01770037710617187},"limit":{"pct":9.923134671484496e-05}},"workingset":{"bytes":1986724},"rss":{"bytes":402801},"pagefaults":296495,"majorpagefaults":0},"start_time":"2021-03-30T07:59:06Z","name":"container-name-44"},"namespace":"namespace26"}}
|
|
|
+{"create": {}}
|
|
|
+{"@timestamp":"2022-06-21T15:38:30Z","kubernetes":{"host":"gke-apps-0","node":"gke-apps-0-0","pod":"gke-apps-0-0-0","container":{"cpu":{"usage":{"nanocores":40018,"core":{"ns":12828317850},"node":{"pct":2.77905e-05},"limit":{"pct":2.77905e-05}}},"memory":{"available":{"bytes":1062428344},"usage":{"bytes":265142477,"node":{"pct":0.01770037710617187},"limit":{"pct":9.923134671484496e-05}},"workingset":{"bytes":2294743},"rss":{"bytes":340623},"pagefaults":224530,"majorpagefaults":0},"start_time":"2021-03-30T07:59:06Z","name":"container-name-44"},"namespace":"namespace26"}}
|
|
|
----
|
|
|
// TEST[continued]
|
|
|
|
|
|
-The query has at least 10,000 hits and returns the first 10. In each document
|
|
|
-you can see the time series dimensions (`host`, `node`, `pod` and `container`)
|
|
|
-as well as the various CPU and memory time series metrics.
|
|
|
+You can use the search API to check if the documents have been indexed
|
|
|
+correctly:
|
|
|
|
|
|
-[source,console-result]
|
|
|
+[source,console]
|
|
|
----
|
|
|
- "hits": {
|
|
|
- "total": {
|
|
|
- "value": 10000,
|
|
|
- "relation": "gte"
|
|
|
- },
|
|
|
- "max_score": 1,
|
|
|
- "hits": [
|
|
|
- {
|
|
|
- "_index": "sample-01",
|
|
|
- "_id": "WyHN6N6AwdaJByQWAAABgYOOweA",
|
|
|
- "_score": 1,
|
|
|
- "_source": {
|
|
|
- "@timestamp": "2022-06-20T23:59:40Z",
|
|
|
- "kubernetes": {
|
|
|
- "host": "gke-apps-0",
|
|
|
- "node": "gke-apps-0-1",
|
|
|
- "pod": "gke-apps-0-1-0",
|
|
|
- "container": {
|
|
|
- "cpu": {
|
|
|
- "usage": {
|
|
|
- "nanocores": 80037,
|
|
|
- "core": {
|
|
|
- "ns": 12828317850
|
|
|
- },
|
|
|
- "node": {
|
|
|
- "pct": 0.0000277905
|
|
|
- },
|
|
|
- "limit": {
|
|
|
- "pct": 0.0000277905
|
|
|
- }
|
|
|
- }
|
|
|
- },
|
|
|
- "memory": {
|
|
|
- "available": {
|
|
|
- "bytes": 790830121
|
|
|
- },
|
|
|
- "usage": {
|
|
|
- "bytes": 139548672,
|
|
|
- "node": {
|
|
|
- "pct": 0.01770037710617187
|
|
|
- },
|
|
|
- "limit": {
|
|
|
- "pct": 0.00009923134671484496
|
|
|
- }
|
|
|
- },
|
|
|
- "workingset": {
|
|
|
- "bytes": 2248540
|
|
|
- },
|
|
|
- "rss": {
|
|
|
- "bytes": 289260
|
|
|
- },
|
|
|
- "pagefaults": 74843,
|
|
|
- "majorpagefaults": 0
|
|
|
- },
|
|
|
- "start_time": "2021-03-30T07:59:06Z",
|
|
|
- "name": "container-name-44"
|
|
|
- },
|
|
|
- "namespace": "namespace26"
|
|
|
- }
|
|
|
- }
|
|
|
- }
|
|
|
-...
|
|
|
+GET /my-data-stream/_search
|
|
|
----
|
|
|
-// TEST[skip:todo]
|
|
|
// TEST[continued]
|
|
|
|
|
|
-Next, you can run a terms aggregation on the set of time series dimensions (`_tsid`) to
|
|
|
-view a date histogram on a fixed interval of one day.
|
|
|
+Run the following aggregation on the data to calculate some interesting
|
|
|
+statistics:
|
|
|
|
|
|
[source,console]
|
|
|
----
|
|
|
-GET /sample-01*/_search
|
|
|
+GET /my-data-stream/_search
|
|
|
{
|
|
|
"size": 0,
|
|
|
"aggs": {
|
|
|
@@ -341,122 +333,257 @@ GET /sample-01*/_search
|
|
|
|
|
|
[discrete]
|
|
|
[[downsampling-manual-run]]
|
|
|
-==== Run downsampling for the index
|
|
|
+==== Downsample the TSDS
|
|
|
|
|
|
-Before running downsampling, the index needs to be set to read only mode:
|
|
|
+A TSDS can't be downsampled directly. You need to downsample its backing indices
|
|
|
+instead. You can see the backing index for your data stream by running:
|
|
|
|
|
|
[source,console]
|
|
|
----
|
|
|
-PUT /sample-01/_block/write
|
|
|
+GET /_data_stream/my-data-stream
|
|
|
----
|
|
|
// TEST[continued]
|
|
|
|
|
|
-And now, you can use the <<indices-downsample-data-stream,downsample API>> to
|
|
|
-downsample the index, setting the time series interval to one hour:
|
|
|
+This returns:
|
|
|
+
|
|
|
+[source,console-result]
|
|
|
+----
|
|
|
+{
|
|
|
+ "data_streams": [
|
|
|
+ {
|
|
|
+ "name": "my-data-stream",
|
|
|
+ "timestamp_field": {
|
|
|
+ "name": "@timestamp"
|
|
|
+ },
|
|
|
+ "indices": [
|
|
|
+ {
|
|
|
+ "index_name": ".ds-my-data-stream-2023.07.26-000001", <1>
|
|
|
+ "index_uuid": "ltOJGmqgTVm4T-Buoe7Acg"
|
|
|
+ }
|
|
|
+ ],
|
|
|
+ "generation": 1,
|
|
|
+ "status": "GREEN",
|
|
|
+ "template": "my-data-stream-template",
|
|
|
+ "hidden": false,
|
|
|
+ "system": false,
|
|
|
+ "allow_custom_routing": false,
|
|
|
+ "replicated": false,
|
|
|
+ "time_series": {
|
|
|
+ "temporal_ranges": [
|
|
|
+ {
|
|
|
+ "start": "2023-07-26T09:26:42.000Z",
|
|
|
+ "end": "2023-07-26T13:26:42.000Z"
|
|
|
+ }
|
|
|
+ ]
|
|
|
+ }
|
|
|
+ }
|
|
|
+ ]
|
|
|
+}
|
|
|
+----
|
|
|
+// TESTRESPONSE[s/".ds-my-data-stream-2023.07.26-000001"/$body.data_streams.0.indices.0.index_name/]
|
|
|
+// TESTRESPONSE[s/"ltOJGmqgTVm4T-Buoe7Acg"/$body.data_streams.0.indices.0.index_uuid/]
|
|
|
+// TESTRESPONSE[s/"2023-07-26T09:26:42.000Z"/$body.data_streams.0.time_series.temporal_ranges.0.start/]
|
|
|
+// TESTRESPONSE[s/"2023-07-26T13:26:42.000Z"/$body.data_streams.0.time_series.temporal_ranges.0.end/]
|
|
|
+<1> The backing index for this data stream.
|
|
|
+
|
|
|
+Before a backing index can be downsampled, the TSDS needs to be rolled over and
|
|
|
+the old index needs to be made read-only.
|
|
|
+
|
|
|
+Roll over the TSDS using the <<indices-rollover-index,rollover API>>:
|
|
|
|
|
|
[source,console]
|
|
|
----
|
|
|
-POST /sample-01/_downsample/sample-01-downsample
|
|
|
+POST /my-data-stream/_rollover/
|
|
|
+----
|
|
|
+// TEST[continued]
|
|
|
+
|
|
|
+Copy the name of the `old_index` from the response. In the following steps,
|
|
|
+replace the index name with that of your `old_index`.
|
|
|
+
|
|
|
+The old index needs to be set to read-only mode. Run the following request:
|
|
|
+
|
|
|
+[source,console]
|
|
|
+----
|
|
|
+PUT /.ds-my-data-stream-2023.07.26-000001/_block/write
|
|
|
+----
|
|
|
+// TEST[skip:We don't know the index name at test time]
|
|
|
+
|
|
|
+Next, use the <<indices-downsample-data-stream,downsample API>> to downsample
|
|
|
+the index, setting the time series interval to one hour:
|
|
|
+
|
|
|
+[source,console]
|
|
|
+----
|
|
|
+POST /.ds-my-data-stream-2023.07.26-000001/_downsample/.ds-my-data-stream-2023.07.26-000001-downsample
|
|
|
{
|
|
|
"fixed_interval": "1h"
|
|
|
}
|
|
|
----
|
|
|
-// TEST[continued]
|
|
|
+// TEST[skip:We don't know the index name at test time]
|
|
|
|
|
|
-Finally, delete the original index:
|
|
|
+Now you can <<modify-data-streams-api,modify the data stream>>, and replace the
|
|
|
+original index with the downsampled one:
|
|
|
|
|
|
[source,console]
|
|
|
----
|
|
|
-DELETE /sample-01
|
|
|
+POST _data_stream/_modify
|
|
|
+{
|
|
|
+ "actions": [
|
|
|
+ {
|
|
|
+ "remove_backing_index": {
|
|
|
+ "data_stream": "my-data-stream",
|
|
|
+ "index": ".ds-my-data-stream-2023.07.26-000001"
|
|
|
+ }
|
|
|
+ },
|
|
|
+ {
|
|
|
+ "add_backing_index": {
|
|
|
+ "data_stream": "my-data-stream",
|
|
|
+ "index": ".ds-my-data-stream-2023.07.26-000001-downsample"
|
|
|
+ }
|
|
|
+ }
|
|
|
+ ]
|
|
|
+}
|
|
|
----
|
|
|
-// TEST[continued]
|
|
|
+// TEST[skip:We don't know the index name at test time]
|
|
|
+
|
|
|
+You can now delete the old backing index. But be aware this will delete the
|
|
|
+original data. Don't delete the index if you may need the original data in the
|
|
|
+future.
|
|
|
|
|
|
[discrete]
|
|
|
[[downsampling-manual-view-results]]
|
|
|
==== View the results
|
|
|
|
|
|
-
|
|
|
-Re-run your search query (note that when querying downsampled indices there are <<querying-downsampled-indices-notes,a few nuances to be aware of>>):
|
|
|
+Re-run the earlier search query (note that when querying downsampled indices
|
|
|
+there are <<querying-downsampled-indices-notes,a few nuances to be aware of>>):
|
|
|
|
|
|
[source,console]
|
|
|
----
|
|
|
-GET /sample-01*/_search
|
|
|
+GET /my-data-stream/_search
|
|
|
----
|
|
|
-// TEST[continued]
|
|
|
+// TEST[skip:Because we've skipped the previous steps]
|
|
|
|
|
|
-In the query results, notice that the number of hits has been reduced to only 288
|
|
|
-documents. As well, for each time series metric statistical representations have
|
|
|
-been calculated: `min`, `max`, `sum`, and `value_count`.
|
|
|
+The TSDS with the new downsampled backing index contains just one document. For
|
|
|
+counters, this document would only have the last value. For gauges, the field
|
|
|
+type is now `aggregate_metric_double`. You see the `min`, `max`, `sum`, and
|
|
|
+`value_count` statistics based off of the original sampled metrics:
|
|
|
|
|
|
[source,console-result]
|
|
|
----
|
|
|
+{
|
|
|
+ "took": 2,
|
|
|
+ "timed_out": false,
|
|
|
+ "_shards": {
|
|
|
+ "total": 4,
|
|
|
+ "successful": 4,
|
|
|
+ "skipped": 0,
|
|
|
+ "failed": 0
|
|
|
+ },
|
|
|
"hits": {
|
|
|
"total": {
|
|
|
- "value": 288,
|
|
|
+ "value": 1,
|
|
|
"relation": "eq"
|
|
|
},
|
|
|
"max_score": 1,
|
|
|
"hits": [
|
|
|
{
|
|
|
- "_index": "sample-01-downsample",
|
|
|
- "_id": "WyHN6N6AwdaJByQWAAABgYNYIYA",
|
|
|
+ "_index": ".ds-my-data-stream-2023.07.26-000001-downsample",
|
|
|
+ "_id": "0eL0wC_4-45SnTNFAAABiZHbD4A",
|
|
|
"_score": 1,
|
|
|
"_source": {
|
|
|
- "@timestamp": "2022-06-20T23:00:00.000Z",
|
|
|
- "_doc_count": 81,
|
|
|
- "kubernetes.host": "gke-apps-0",
|
|
|
- "kubernetes.namespace": "namespace26",
|
|
|
- "kubernetes.node": "gke-apps-0-1",
|
|
|
- "kubernetes.pod": "gke-apps-0-1-0",
|
|
|
- "kubernetes.container.cpu.usage.nanocores": {
|
|
|
- "min": 23344,
|
|
|
- "max": 163408,
|
|
|
- "sum": 7488985,
|
|
|
- "value_count": 81
|
|
|
- },
|
|
|
- "kubernetes.container.memory.available.bytes": {
|
|
|
- "min": 167751844,
|
|
|
- "max": 1182251090,
|
|
|
- "sum": 58169948901,
|
|
|
- "value_count": 81
|
|
|
- },
|
|
|
- "kubernetes.container.memory.rss.bytes": {
|
|
|
- "min": 54067,
|
|
|
- "max": 391987,
|
|
|
- "sum": 17550215,
|
|
|
- "value_count": 81
|
|
|
- },
|
|
|
- "kubernetes.container.memory.pagefaults": {
|
|
|
- "min": 69086,
|
|
|
- "max": 428910,
|
|
|
- "sum": 20239365,
|
|
|
- "value_count": 81
|
|
|
- },
|
|
|
- "kubernetes.container.memory.workingset.bytes": {
|
|
|
- "min": 323420,
|
|
|
- "max": 2279342,
|
|
|
- "sum": 104233700,
|
|
|
- "value_count": 81
|
|
|
- },
|
|
|
- "kubernetes.container.memory.usage.bytes": {
|
|
|
- "min": 61401416,
|
|
|
- "max": 413064069,
|
|
|
- "sum": 18557182404,
|
|
|
- "value_count": 81
|
|
|
+ "@timestamp": "2023-07-26T11:00:00.000Z",
|
|
|
+ "_doc_count": 10,
|
|
|
+ "ingest_time": "2023-07-26T11:26:42.715Z",
|
|
|
+ "kubernetes": {
|
|
|
+ "container": {
|
|
|
+ "cpu": {
|
|
|
+ "usage": {
|
|
|
+ "core": {
|
|
|
+ "ns": 12828317850
|
|
|
+ },
|
|
|
+ "limit": {
|
|
|
+ "pct": 0.0000277905
|
|
|
+ },
|
|
|
+ "nanocores": {
|
|
|
+ "min": 38907,
|
|
|
+ "max": 153404,
|
|
|
+ "sum": 992677,
|
|
|
+ "value_count": 10
|
|
|
+ },
|
|
|
+ "node": {
|
|
|
+ "pct": 0.0000277905
|
|
|
+ }
|
|
|
+ }
|
|
|
+ },
|
|
|
+ "memory": {
|
|
|
+ "available": {
|
|
|
+ "bytes": {
|
|
|
+ "min": 279586406,
|
|
|
+ "max": 1062428344,
|
|
|
+ "sum": 7101494721,
|
|
|
+ "value_count": 10
|
|
|
+ }
|
|
|
+ },
|
|
|
+ "majorpagefaults": 0,
|
|
|
+ "pagefaults": {
|
|
|
+ "min": 74843,
|
|
|
+ "max": 302252,
|
|
|
+ "sum": 2061071,
|
|
|
+ "value_count": 10
|
|
|
+ },
|
|
|
+ "rss": {
|
|
|
+ "bytes": {
|
|
|
+ "min": 91914,
|
|
|
+ "max": 402801,
|
|
|
+ "sum": 2389770,
|
|
|
+ "value_count": 10
|
|
|
+ }
|
|
|
+ },
|
|
|
+ "usage": {
|
|
|
+ "bytes": {
|
|
|
+ "min": 100475044,
|
|
|
+ "max": 379572388,
|
|
|
+ "sum": 2668170609,
|
|
|
+ "value_count": 10
|
|
|
+ },
|
|
|
+ "limit": {
|
|
|
+ "pct": 0.00009923134
|
|
|
+ },
|
|
|
+ "node": {
|
|
|
+ "pct": 0.017700378
|
|
|
+ }
|
|
|
+ },
|
|
|
+ "workingset": {
|
|
|
+ "bytes": {
|
|
|
+ "min": 431227,
|
|
|
+ "max": 2294743,
|
|
|
+ "sum": 14230488,
|
|
|
+ "value_count": 10
|
|
|
+ }
|
|
|
+ }
|
|
|
+ },
|
|
|
+ "name": "container-name-44",
|
|
|
+ "start_time": "2021-03-30T07:59:06.000Z"
|
|
|
+ },
|
|
|
+ "host": "gke-apps-0",
|
|
|
+ "namespace": "namespace26",
|
|
|
+ "node": "gke-apps-0-0",
|
|
|
+ "pod": "gke-apps-0-0-0"
|
|
|
}
|
|
|
}
|
|
|
- },
|
|
|
-...
|
|
|
+ }
|
|
|
+ ]
|
|
|
+ }
|
|
|
+}
|
|
|
----
|
|
|
-// TEST[skip:todo]
|
|
|
+// TEST[skip:Because we've skipped the previous step]
|
|
|
|
|
|
-You can now re-run the earlier aggregation. Even though the aggregation runs on
|
|
|
-the downsampled data stream that only contains 288 documents, it returns the
|
|
|
-same results as the earlier aggregation on the original data stream.
|
|
|
+Re-run the earlier aggregation. Even though the aggregation runs on the
|
|
|
+downsampled TSDS that only contains 1 document, it returns the same results as
|
|
|
+the earlier aggregation on the original TSDS.
|
|
|
|
|
|
[source,console]
|
|
|
----
|
|
|
-GET /sample-01*/_search
|
|
|
+GET /my-data-stream/_search
|
|
|
{
|
|
|
"size": 0,
|
|
|
"aggs": {
|
|
|
@@ -493,13 +620,13 @@ GET /sample-01*/_search
|
|
|
}
|
|
|
}
|
|
|
----
|
|
|
-// TEST[continued]
|
|
|
+// TEST[skip:Because we've skipped the previous steps]
|
|
|
|
|
|
This example demonstrates how downsampling can dramatically reduce the number of
|
|
|
-records stored for time series data, within whatever time boundaries you choose.
|
|
|
-It's also possible to perform downsampling on already downsampled data, to
|
|
|
-further reduce storage and associated costs, as the time series data ages and
|
|
|
+documents stored for time series data, within whatever time boundaries you
|
|
|
+choose. It's also possible to perform downsampling on already downsampled data,
|
|
|
+to further reduce storage and associated costs, as the time series data ages and
|
|
|
the data resolution becomes less critical.
|
|
|
|
|
|
-Downsampling is very easily integrated within an ILM policy. To learn more, try
|
|
|
-the <<downsampling-ilm,Run downsampling with ILM>> example.
|
|
|
+The recommended way to downsample a TSDS is with ILM. To learn more, try the
|
|
|
+<<downsampling-ilm,Run downsampling with ILM>> example.
|
Abdon Pijpelink