Open henrikno opened 2 years ago
henrikno
commented
2 years ago This hacky workaround seems to help some (from 8k/s to 13k/s):
- rename:
fields:
- from: metadata_architecture
to: drop.metadata_architecture
- from: metadata_availabilityZone
to: drop.metadata_availabilityZone
# etc
- drop_fields:
fields:
- drop
elasticmachine
commented
2 years ago Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane)
cmacknz
commented
2 years ago Can you start filebeat with profiling enabled and capture a CPU profile (ideally more than one) with the slow processors running? That will tell us where filebeat is spending its time.
You can start the profiling server with the --httpprof command line option (command documentation) or the configuration file (http endpoint documentation). You need to set at least http.enabled and http.pprof.enabled to true if using the configuration file.
Once you've started filebeat with profiling enabled you can capture 30 second CPU profiles with curl $HOST:$PORT/debug/pprof/profile -o profile.prof or equivalent.
henrikno
commented
2 years ago Attached 3 profiles + heap profile.zip These are from filebeat 8.1.0.
cmacknz
commented
2 years ago Awesome, thanks! All three CPU profiles look similar which is good. Here's a flamegraph from the first profile:
I see a bunch of time being spent formatting error messages in the dropFields processors (errors.Wrapf) that line up with what you've observed above.
cmacknz
commented
2 years ago This is the code path contributing to a large part of the slowness here:
We are building a slice of errors, so the more errors there are the more expensive it becomes as we both incur calls to errors.Wrapf and need to reallocate the slice as it grows (it reallocates each time it doubles).
henrikno
commented
2 years ago Ha, just noticed it now supports ignore_missing, which was added in 7.4. We probably added the processor before it was an option. That should make it a lot cheaper.
cmacknz
commented
2 years ago Yes, I was just about to suggest that. If it is still slow try and capture another profile if it isn't too much work, the problem is much easier to find that way. Likely it will just be the next slowest path in the current set of profiles though if you can't.
henrikno
commented
2 years ago Went from 10k docs/s to 20k/s! For reference I ran without any processors which reaches 30k/s. profile2.zip
I suppose go/the processors doesn't have something along the line of if log.isDebugEnabled { do_error_reporting } to avoid constructing them if they're never logged?
cmacknz
commented
2 years ago I suppose go/the processors doesn't have something along the line of if log.isDebugEnabled { do_error_reporting } to avoid constructing them if they're never logged?
No, processor error handling can definitely be improved.
Interestingly in the profile2.zip you attached, the profile-no-processors profile still has processors running. A different set than the profile-ignore-missing profile though.
Here is the processing flame graph of the "no processors" case:
Here is the processing flame graph of the "ignore missing" processors case:
The profiles are largely the same outside of the processing call stack, so I've omitted those branches.
cmacknz
commented
2 years ago The rename and drop_fields processors now spend most of their time in https://github.com/elastic/beats/blob/4bc4d19c28851306086e7f3abbe45b389d740c37/libbeat/common/mapstr.go#L436-L448
I also see the add dynamic fields metadata processor call stack spending the majority of its time in https://github.com/elastic/beats/blob/4bc4d19c28851306086e7f3abbe45b389d740c37/libbeat/common/mapstr.go#L150-L152
The improvements to make here aren't as obvious.
zez3
commented
1 year ago Hmm, @henrikno what does your beat.stats.libbeat.output.events.dropped show?
@cmacknz perhaps the Agent dashboard should include the dropped events as well
botelastic[bot]
commented
11 months ago Hi! We just realized that we haven't looked into this issue in a while. We're sorry!
We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1.
Thank you for your contribution!
zez3
commented
11 months ago ahh :(
cmacknz
commented
11 months ago We have reproduced something similar to this in our internal benchmarks, no fix yet unfortunately.
Hi, We're parsing some json-formatted high-volume logs, and noticed that we could only process up to 8000 documents per second per filebeat. I tried to narrow down what's the bottleneck. By just reading the file and parsing as json, I could get up to 20k documents per second. Then I commented in our list of processors that rename some fields, drop some unnecessary fields etc. I found that the slowest processor seems to be
drop_fields. Dropping the first 16 fields alone takes it from 20k/s to 12k/s, then the other conditional one makes it drop to 8k/s.Sample filebeat:
I was watching the number of events per second while commenting out each processor, and each time the performance increased:
Turning on debug logging I see some failures to remove fields that don't exist (some of them are optinal, and some have been renamed in later versions), but it shouldn't be that expensive to check if a field exists?
(Tested on 7.12, but also tried 8.1.0 with no improvement in performance)