Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Filebeat performance when sending to Logstash #587

Closed
tsg opened this issue Dec 22, 2015 · 1 comment
Closed

Filebeat performance when sending to Logstash #587

tsg opened this issue Dec 22, 2015 · 1 comment
Labels
bug

Comments

@tsg
Copy link
Contributor

tsg commented Dec 22, 2015

There have been reports that the Filebeat -> Logstash communication doesn't seem to be as efficient as expected. For reference, the reported numbers were 3 K/s events by Filebeat, compared to the TCP input doing 39 K/s or the Logstash-Forwarder doing around 13 K/s (in a report from another user).

I did some tests and could get Filebeat up to 16 K/s when running together with Logstash on the same, relatively powerful, machine (8 CPU threads), by increasing the bulk_max_size option of the Logstash output in Filebeat to 3000.

The bulk_max_size option used to have a default of 10000 and was recently reduced to 200 due to memory issues in Packetbeat when Logstash is not available (it can allocate 1000 x 10k events). The change from 10k to 200 didn't affect the performance of the async publisher in Packetbeat. However, as seen above, it affects the performance of the sync publisher in Filebeat. One possible easy solution would be to have different defaults for the sync and async types, but it seems to me like we need a bit more investigations here to figure out exactly what happens. IMHO, 200 should be enough for good performance, as also confirmed by the async version.

For reference, I used this Logstash config:

input {
    beats {
        port => 5044
    }
}

filter {
    metrics {
        meter => "events"
        add_tag => "metric"
    }
}

output {
    if "metric" in [tags] {
        stdout {
            codec => line {
                format => "Rate: %{[events][rate_1m]}"
            }
        }
    } else {
        null {
            workers => 2
        }
    }
}

And this Filebeat config:

filebeat:
  prospectors:
    -
      paths:
        - /home/tsg/testbed/logs/*
      input_type: log

output:
  logstash:
    hosts: ["localhost:5044"]
    bulk_max_size: 3000

The logs used for testing were downloaded from here.

We should also look into what the bottleneck is besides the bulk_max_size option, because both Filebeat and Logstash didn't seem to fill their whole CPU potential (Filebeat was ~40% CPU usage, LS was at ~150% CPU usage, but looking at the thread view, the largest was ~60%).
@urso urso mentioned this issue Jan 5, 2016
Merged
@urso
Copy link

urso commented Jan 7, 2016

updated default queue sizes to increase throughput and reduce buffering in libbeat.

@urso urso closed this as completed Jan 7, 2016
nxhack pushed a commit to nxhack/logstash that referenced this issue Jan 8, 2016
https://github.com/elastic/beats/issues/587
da11651
@ykodgule ykodgule mentioned this issue Mar 18, 2016
Closed
@andrewkroh andrewkroh mentioned this issue Jan 14, 2020
Closed
51 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@urso @tsg