book

Mastering Elastic Stack

Name: Mastering Elastic Stack
ISBN: 9781786460011

by Ravi Kumar Gupta, Yuvraj Gupta

February 2017

Intermediate to advanced

526 pages

10h 8m

English

Packt Publishing

Read now

Unlock full access

Mastering Elastic Stack
Mastering Elastic Stack
Credits
About the Authors
About the Reviewer
www.PacktPub.com
Why subscribe?
Customer Feedback
Preface
What this book covers
What you need for this book
Who this book is for

Conventions
Reader feedback
Customer support
Downloading the example codeErrataPiracyQuestions
1. Elastic Stack Overview
Introduction to ELK StackLogstashElasticsearchKibana
The birth of Elastic Stack
Beat
Who uses Elastic Stack?
SalesforceCERNGreen Man Gaming
Stack competitors
Setting up Elastic Stack
Installation of JavaInstallation of Java on Ubuntu 14.04Installation of Java on WindowsInstallation of ElasticsearchInstallation of Elasticsearch on Ubuntu 14.04Installation of Elasticsearch on WindowsInstallation of Elasticsearch as a serviceInstallation of KibanaInstallation of Kibana on Ubuntu 14.04Installation of Kibana on WindowsInstallation of LogstashInstallation of Logstash on Ubuntu 14.04Installation of Logstash on WindowsInstallation of FilebeatInstallation of Filebeat on Ubuntu 14.04Installation of Filebeat on Windows
X-Pack
Summary
2. Stepping into Elasticsearch
The beginning of ElasticsearchKey features
Understanding the architecture
Recommended cluster configurationsMinimum master nodesLocal cluster settingsUnderstanding document processing
Elasticsearch APIs
Document APIsSingle document APIsIndex APIGet APIDelete APIUpdate APIMulti-document APIsMulti-get APIBulk APISearch APIsSearch APIQuery parametersSearch shard APIMulti-search APIsCount APIValidate APIExplain APIProfile APIField stat APIIndices APIsManaging indicesCreating an indexChecking if an index existsGetting index informationManaging index settingsGetting index statsGetting index segmentsGetting index recovery informationGetting shard stores informationIndex aliasesMappingsClosing, opening, and deleting an indexOther operationsCat APIsCluster APIs
Query DSL
Aggregations
BucketMetrics aggregationsAvg aggregationMin aggregationMax aggregationPercentiles AggregationSum aggregationValue count aggregationCardinality aggregationStats aggregationExtended stats aggregation
A note for painless scripting
Summary
3. Exploring Logstash and Its Plugins
Introduction to Logstash
Why do we need Logstash?
Features of Logstash
Logstash Plugin Architecture
Logstash Configuration File Structure
Value typesArrayBooleanBytesCodecCommentsHashNumberStringUse of Conditionals
Types of Plugins
Input pluginsFilter pluginsOutput pluginsCodec plugins
Exploring Input Plugins
stdinfilepathudp
Exploring Filter Plugins
grokmutatecsv
Exploring Output Plugins
stdoutfileelasticsearch
Exploring Codec Plugins
rubydebugjsonavromultiline
Plugins Command-Line Options
Listing of PluginsInstalling a pluginRemoving a pluginUpdating a pluginPacking a pluginUnpacking a plugin
Logstash command-line options
Logstash Tips and Tricks
Referencing fields and Its valuesAdding custom-created grok patternsLogstash does not show any outputWhen an input file has already been completely readWhen an input file is not modified since 1 day
Logstash Configuration for Parsing Logs
Sample Catalina logsSample Tomcat logsGrok pattern for Catalina logsGrok pattern for Tomcat logsLogstash configuration file
Monitoring APIs
Node info APIOS InfoJVM infoPipleine InfoPlugins Info APINode stats APIJVM statsProcess statsPipeline statsHot threads APIThreadsHumanIgnore idle threads
Summary
4. Kibana Interface
Kibana and its offeringsKibana interface
Exploring the discover interface
Time Filter
Quick time filterRelative time filterAbsolute time filterAuto-refresh
Querying and Searching data
Full-text searchesRange searchesBoolean searchesProximity searchWildcard searchesRegular expressions searchGrouping
Fields and filters
Filtering the fieldFunctionalities of filters
Discovery page options
Exploring the visualize interface
Understanding aggregationsBucket aggregationsMetric aggregationsVisualization CanvasArea chartData tableLine chartBubble chartMarkdown widgetMetricPie chartTag cloudsTile mapTime seriesVertical bar chart
Exploring the Dashboard interface
Understanding Timelion
Exploring Dev Tools
Exploring the Management interface
Index patternsSaved objectsAdvanced SettingsStatus
Putting it all together
Input dataCreating a Logstash configuration fileUsing KibanaTop states based on 2003 RUCCTop states based on 2003 UICTop five area names with less than high school diploma 1970Top five area names with high school diploma 1970Percentage of adults having less than high school diploma in 1970 by area and stateTop states as per their count and their top 2013 RUCCInsightsCreating a dashboard in Kibana
Summary
5. Using Beats
Introduction to Beats
How Beats differ from Logstash
How Beats fits into Elastic Stack
An overview of the different types of Beats
Beats by Elastic TeamPacketbeatMetricbeatFilebeatWinlogbeatLibbeatBeats by communityDockbeatLmsensorbeat
Exploring Elastic Team Beats
Understanding FilebeatFilebeat Prospectors ConfigurationProcessors configurationDefining a processorOutput ConfigurationElasticsearch Output ConfigurationLogstash Output ConfigurationLogging ConfigurationUnderstanding MetricbeatSystem ModuleCPU metricsetDisk I/O metricsetFilesystem metricsetFsStat metricsetLoad metricsetMemory metricsetNetwork metricsetProcess MetricsetInstallation of MetricbeatInstallation of Metricbeat on Ubuntu 14.04Understanding PacketbeatInstallation of PacketbeatInstallation of Packetbeat on Ubuntu 14.04
Exploring Community Beats
Understanding ElasticbeatInstallation of ElasticbeatInstallation of Elasticbeat on Ubuntu 14.04Elasticbeat configuration
Beats in action with Elastic Stack
Exploring Metricbeat with Logstash and KibanaStep 1-Configuring Metricbeat to send data to LogstashStep 2-Creating a Logstash configuration fileStep 3-Downloading and loading the sample Beats dashboardStep 4-Viewing the sample Beats dashboardExploring Elasticbeat with Elasticsearch and KibanaStep 1-Configuring Elasticbeat to send data to ElasticsearchStep 2-Downloading and loading the Elasticbeat dashboardStep 3-Viewing the sample Beats dashboard
Summary
6. Elastic Stack in Action
Understanding problem scenarioUnderstanding the architecture
Preparing Elastic Stack pipeline
What to capture?Updated architecture
Configuring Elastic Stack components
Setting up ElasticsearchSetting up agents/BeatsPacketbeatMetricbeatFilebeatSetting up Logstashgrok for nginxlogsgrok for liferaylogsgrok for openDJ logs.Config FileSetting up Kibana
Setting up Kibana Dashboards
PacketBeatMetricBeatChecking DB (MySQL) PerformanceAnalyzing CPU usageKeeping an eye on memoryChecking logsFinding most visited pagesVisitors' mapNumber of visitors in a time frameRequest TypesError type-log levelsTop referrersTop agents
Alerting using Logstash e-mail capability
Using a message broker
Summary
7. Customizing Elastic Stack
Extending ElasticsearchElasticsearch development environmentAnatomy of an Elasticsearch Java pluginBuilding the plugin
Extending Logstash
Generating a pluginAnatomy of the pluginweather.rb filePlugin logic implementationReading data from API end pointPreparing an eventPublish the eventBuilding and installing a pluginTesting our plugin
Extending Beats
libbeat frameworkCreating a beatAnatomy of a BeatBeat configurationweatherbeat.go fileImplementing beat logicAdding the ConfigurationReading data from APIParsing the dataPreparing an eventPublishing the eventRunning the beat
Extending Kibana
Setting up Kibana development environmentGenerating the pluginAnatomy of a plugin
Summary
8. Elasticsearch APIs
The cluster APIsCluster healthCluster StateCluster statsPending tasksCluster rerouteCluster update settingsNode statsNodes info APITask Management API
The cat APIs
Elasticsearch modules
Cluster moduleDiscovery moduleGateway moduleHTTP moduleIndices moduleNetwork moduleNode clientPlugins moduleScriptingSnapshot/restore moduleThread poolsTransport moduleTribe nodes module
Ingest nodes
Elasticsearch clients
Supported clientsCommunity contributed clients
Java API
Connecting to a ClusterAdmin tasksManaging indicesCreating an indexGetting index settingsUpdating index settingsRefreshing an indexManaging clustersGetting cluster tasksGetting cluster healthIndex-level tasksManaging documentsIndexing a documentGetting a documentDeleting a documentUpdating a documentQuery DSL and search APIAggregations
Elasticsearch plugins
Discovery pluginsIngest pluginsElasticsearch SQL
Summary
9. X-Pack: Security and Monitoring
Introduction to X-Pack
Installation of X-Pack
Installing X-Pack in ElasticsearchInstalling X-Pack in KibanaInstalling X-Pack on offline systemsUninstalling X-Pack
Security
Listing of all users in securityListing of roles in securityUnderstanding roles in securityUnderstanding Cluster PrivilegesUnderstanding Run As privilegesUnderstanding Indices privilegesDecoding default user roleskibana_usersuperusertransport_clientAdding a role in securityUpdating a role in securityUnderstanding Field Level SecurityAdding a user in securityUpdating user details in securityChanging the password of a user in securityDeleting a role in securityDeleting a user in security
Viewing X-Pack information
Enabling and disabling of X-Pack features
Monitoring
Exploring monitoring statistics for ElasticsearchDiscovering the Overview tabDiscovering the Indices tabDiscovering the Nodes tabExploring monitoring statistics for Kibana
Understanding Profiler
Summary
10. X-Pack: Alerting, Graph, and Reporting
Alerting and notificationWorking of watcherTriggerSchedule triggerInputSimple inputSearch inputHTTP inputChain inputConditionsAlways conditionNever conditionCompare conditionArray compare conditionScript conditionTransformsSearch transformScript transformChain transformActionsThrottling
Graph
Working of GraphGraph UI
Reporting
Summary
11. Best Practices
Why do we require best practices?
Understanding your use case
Managing configuration files
Elasticsearch - elasticsearch.ymlKibana - kibana.yml
Choosing the right set of hardware
MemoryJava heap sizeSwapping memoryDisksSizing disk spaceI/OCPUNetwork
Searching and indexing performance
Filter cacheFielddata sizeIndexing buffer
Sizing the Elasticsearch cluster
Choosing the right kind of nodeMaster and data nodeMaster nodeData nodeIngest nodeNo master, no data, and no ingest nodeDetermining the number of nodesDetermining the number of shardsReducing disk space
Logstash configuration file
Categorizing multiple sources of dataUsing conditionalsUsing custom grok patternsSimplifying _grokparsefailureMapping of fieldsDynamic templatingTesting configuration
Re-indexing data
Using aliases
Summary
12. Case Study-Meetup
Understanding meetup scenario
Setting things up
A bit of Meetup API understandingSetting up ElasticsearchPreparing LogstashSetting up Kibana
Analyzing data using Kibana
Filtering ContentNumber of Meetups by CountryTop 10 meetup cities in worldMeetups trends by durationMeetups by RSVP CountsNumber of Groups by countryNumber of Groups by join modePopular CategoriesPopular TopicsMeetup Venue MapMeetups on MapJust the number of things
Getting Notified
Summary

Content preview from Mastering Elastic Stack

Logstash Tips and Tricks

There are a few tips related to Logstash, which are described in the following sections.

Referencing fields and Its values

In the Logstash configuration file, you can refer to a field by its name and can subsequently pass the value of a field into another field. If you want to refer to a top-level field, use the field name directly. If you want to refer to a nested field, use the [top-level field][nested field] syntax. To refer the field, Logstash uses the sprintf format, which helps us to refer to the field values.

The sprintf format is as follows:

%{[top-level field][nested field].....}

For example:

output {   
        elasticsearch { 
                document_type => "%{@version}" 
                index => "logstash_%{type}_%{+YYYY-MM-dd-H}" 
  } 
}

Note

The index name ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781786460011

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design