Skip to main content

Camel-Elasticsearch: create timestamped indices

One nice feature of the logstash-elasticsearch integration is that, by default, logstash will use timestamped indices when feeding data to elasticsearch.

This means that yesterday's data is in a separate index from today's data and from each other day's data, simplifying index management. For instance, suppose you only want to keep the last 30 days:

elasticsearch-remove-old-indices.sh -i 30

The Apache Camel Elasticsearch component provides no such feature out of the box, but luckily it is quite easy to implement (when you know what to do. /grin ).

As a matter of fact, it is enough to define the proper header on the message and the elasticsearch component will then use that header as the index name. Unfortunately this is not documented anywhere, but it can be understood by looking at the source. Once again: use the source, Luke.

So, let's suppose the route is something as simple as:

        <route autostartup="true" id="processMirthMessages-route">
            <from uri="sql:{{sql.selectMessage}}?consumer.delay=5000&consumer.onConsume={{sql.markMessage}}">
            <to uri="elasticsearch://mirth?operation=INDEX&indexType=mmsg">
        </to></from></route>

Then all that is needed to is to define a content enricher bean as follows:

        <route autostartup="true" id="processMirthMessages-route">
            <from uri="sql:{{sql.selectMessage}}?consumer.delay=5000&consumer.onConsume={{sql.markMessage}}">
            <bean method="process" ref="eSheaders">
            <to uri="elasticsearch://mirth?operation=INDEX&indexType=mmsg">
        </to></bean></from></route>

The bean is also pretty simple (imports omitted for brevity):

public class ESHeaders {
    public void process(Exchange exchange) {
        Message in = exchange.getIn();
        DateFormat df=new SimpleDateFormat("YYYY.MM.dd");
        in.setHeader(ElasticsearchConfiguration.PARAM_INDEX_NAME, "mirth2-"+df.format(new Date()));
    }
}

Update: get timestamp index name from the message itself.

If the data to be indexed contains, as it should, a @timestamp field then the content enricher bean can be imrproved to use it as follows:

public void process(Exchange exchange) {
        Message in = exchange.getIn();
        String indexName=null;
        DateFormat df=new SimpleDateFormat("YYYY.MM.dd");
        try {
            Map body = (Map) in.getBody();
            if(body.containsKey("@timestamp")) {
                logger.trace("Computing indexName from @timestamp: "+body.get("@timestamp"));
                indexName = "mirth2-"+df.format((Date) body.get("@timestamp")));
            } else {
                indexName = "mirth2-"+df.format(new Date()));
            }
        } catch(Exception e) {
            logger.error("Cannot compute index name, failing back to default");
            indexName = "mirth2-"+df.format(new Date()));
        }
        in.setHeader(ElasticsearchConfiguration.PARAM_INDEX_NAME, indexName);
    }

Comments

Popular posts from this blog

Indexing Apache access logs with ELK (Elasticsearch+Logstash+Kibana)

Who said that grepping Apache logs has to be boring?

The truth is that, as Enteprise applications move to the browser too, Apache access logs are a gold mine, it does not matter what your role is: developer, support or sysadmin. If you are not mining them you are most likely missing out a ton of information and, probably, making the wrong decisions.
ELK (Elasticsearch, Logstash, Kibana) is a terrific, Open Source stack for visually analyzing Apache (or nginx) logs (but also any other timestamped data).

From 0 to ZFS replication in 5m with syncoid

The ZFS filesystem has many features that once you try them you can never go back. One of the lesser known is probably the support for replicating a zfs filesystem by sending the changes over the network with zfs send/receive.
Technically the filesystem changes don't even need to be sent over a network: you could as well dump them on a removable disk, then receive  from the same removable disk.

A not so short guide to TDD SaltStack formulas

One of the hardest parts about Infrastructure As Code and Configuration Management is establishing a discipline on developing, testing and deploying changes.
Developers follow established practices and tools have been built and perfected over the last decade and a half. On the other hand sysadmins and ops people do not have the same tooling and culture because estensive automation has only become a trend recently.

So if Infrastructure As Code allows you to version the infrastructure your code runs on, what good is it if then there are no tools or established practices to follow?

Luckily the situation is changing and in this post I'm outlining a methodology for test driven development of SaltStack Formulas.

The idea is that with a single command you can run your formula against a matrix of platforms (operating systems) and suites (or configurations). Each cell of the matrix will be tested and the result is a build failure or success much alike to what every half-decent developer of…