Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[alerting event log] buffer events being written instead of writing when logged #55634

Closed
pmuellr opened this issue Jan 22, 2020 · 2 comments · Fixed by #80941 or #83927
Closed

[alerting event log] buffer events being written instead of writing when logged #55634

pmuellr opened this issue Jan 22, 2020 · 2 comments · Fixed by #80941 or #83927
Assignees
Labels
Feature:EventLog Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams)

Comments

@pmuellr
Copy link
Member

pmuellr commented Jan 22, 2020

Currently, event log entries are written to the es index when clients make the call to log an event.

Instead, we should buffer these events, and do a bulk index (write) of them, as needed.

As needed probably means:

  • the buffer is getting full (eg, buffer of 100 entries) OR
  • a time limit elapses (eg, 5 seconds)

There is already an initial take on a "bounded queue", written to deal with this: https://github.com/elastic/kibana/blob/master/x-pack/plugins/event_log/server/lib/bounded_queue.ts

Having these buffered solves a couple of issues:

  • changes from constant, small index requests to ES, to more occasional bulk index request; presumably performing a bit better
  • handles some cases of ES not being available; if the write fails, we can keep the buffer around, and try again later, in hopes that ES comes back up

One other note I've been thinking of. We probably want to assign id's for the event log entries as uuid's, or other unique keys we can generate in the plugin. If we can do that, since the event_log is append only, if the same event gets written twice, for some reason, the second would just be overwriting the first, rather than appearing as a clone entry of the first.

@pmuellr pmuellr added Feature:Alerting Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) labels Jan 22, 2020
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-alerting-services (Team:Alerting Services)

@pmuellr
Copy link
Member Author

pmuellr commented Oct 16, 2020

Was just poking through rxjs, and noticed a handy bufferTime() operator, that will buffer up to a max count or elapsed time period, which would be perfect for this use case.

We'll likely want to buffer for 1 to some small number of seconds, for maybe 100 events max. We can then do a bulk index of those events.

@pmuellr pmuellr self-assigned this Oct 26, 2020
pmuellr added a commit to pmuellr/kibana that referenced this issue Nov 16, 2020
resolves elastic#55634

Buffers event docs being written for a fixed interval / buffer size,
and indexes those docs via a bulk ES call.
pmuellr added a commit that referenced this issue Nov 20, 2020
resolves #55634
resolves #65746

Buffers event docs being written for a fixed interval / buffer size,
and indexes those docs via a bulk ES call.

Also now flushing those buffers at plugin stop() time, which
we couldn't do before with the single index calls, which were
run via `setImmediate()`.
pmuellr added a commit to pmuellr/kibana that referenced this issue Nov 20, 2020
…#80941)

resolves elastic#55634
resolves elastic#65746

Buffers event docs being written for a fixed interval / buffer size,
and indexes those docs via a bulk ES call.

Also now flushing those buffers at plugin stop() time, which
we couldn't do before with the single index calls, which were
run via `setImmediate()`.
pmuellr added a commit to pmuellr/kibana that referenced this issue Nov 20, 2020
resolves elastic#55634
resolves elastic#65746

Buffers event docs being written for a fixed interval / buffer size,
and indexes those docs via a bulk ES call.

Also now flushing those buffers at plugin stop() time, which
we couldn't do before with the single index calls, which were
run via `setImmediate()`.

This is a redo of PR elastic#80941 which
had to be reverted.
pmuellr added a commit that referenced this issue Nov 20, 2020
…83927)

resolves #55634
resolves #65746

Buffers event docs being written for a fixed interval / buffer size,
and indexes those docs via a bulk ES call.

Also now flushing those buffers at plugin stop() time, which
we couldn't do before with the single index calls, which were
run via `setImmediate()`.

This is a redo of PR #80941 which
had to be reverted.
pmuellr added a commit to pmuellr/kibana that referenced this issue Nov 20, 2020
…lastic#83927)

resolves elastic#55634
resolves elastic#65746

Buffers event docs being written for a fixed interval / buffer size,
and indexes those docs via a bulk ES call.

Also now flushing those buffers at plugin stop() time, which
we couldn't do before with the single index calls, which were
run via `setImmediate()`.

This is a redo of PR elastic#80941 which
had to be reverted.
pmuellr added a commit that referenced this issue Nov 20, 2020
…83927) (#83962)

resolves #55634
resolves #65746

Buffers event docs being written for a fixed interval / buffer size,
and indexes those docs via a bulk ES call.

Also now flushing those buffers at plugin stop() time, which
we couldn't do before with the single index calls, which were
run via `setImmediate()`.

This is a redo of PR #80941 which
had to be reverted.
@kobelb kobelb added the needs-team Issues missing a team label label Jan 31, 2022
@botelastic botelastic bot removed the needs-team Issues missing a team label label Jan 31, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Feature:EventLog Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams)
Projects
None yet
4 participants