search

tagomoris / fluent-plugin-flowcounter

TODO: one-line summary of your gem
Other
53 stars 20 forks source link

<match *.**> or <match **> doesn't output flowcounter data. #15

Closed jdoss closed 8 years ago

jdoss commented 8 years ago

Sorry in advance for such a long issues post. I am seeing that using match with a wildcard has issues. Here is a list of plugins and versions:

2016-01-06 21:17:37 +0000 [info]: starting fluentd-0.12.19
2016-01-06 21:17:37 +0000 [info]: gem 'fluent-mixin-config-placeholders' version '0.3.0'
2016-01-06 21:17:37 +0000 [info]: gem 'fluent-mixin-plaintextformatter' version '0.2.6'
2016-01-06 21:17:37 +0000 [info]: gem 'fluent-plugin-elasticsearch' version '1.2.1'
2016-01-06 21:17:37 +0000 [info]: gem 'fluent-plugin-esslowquery' version '1.0.1'
2016-01-06 21:17:37 +0000 [info]: gem 'fluent-plugin-flowcounter' version '0.3.2'
2016-01-06 21:17:37 +0000 [info]: gem 'fluent-plugin-flowcounter-simple' version '0.0.4'
2016-01-06 21:17:37 +0000 [info]: gem 'fluent-plugin-influxdb' version '0.2.2'
2016-01-06 21:17:37 +0000 [info]: gem 'fluent-plugin-mongo' version '0.7.11'
2016-01-06 21:17:37 +0000 [info]: gem 'fluent-plugin-rewrite-tag-filter' version '1.5.4'
2016-01-06 21:17:37 +0000 [info]: gem 'fluent-plugin-s3' version '0.6.4'
2016-01-06 21:17:37 +0000 [info]: gem 'fluent-plugin-scribe' version '0.10.14'
2016-01-06 21:17:37 +0000 [info]: gem 'fluent-plugin-secure-forward' version '0.3.4'
2016-01-06 21:17:37 +0000 [info]: gem 'fluent-plugin-td' version '0.10.28'
2016-01-06 21:17:37 +0000 [info]: gem 'fluent-plugin-td-monitoring' version '0.2.1'
2016-01-06 21:17:37 +0000 [info]: gem 'fluent-plugin-webhdfs' version '0.4.1'
2016-01-06 21:17:37 +0000 [info]: gem 'fluentd' version '0.12.19'
2016-01-06 21:17:37 +0000 [info]: adding filter pattern="*.**" type="record_transformer"
2016-01-06 21:17:37 +0000 [info]: adding match pattern="*.**" type="flowcounter"
2016-01-06 21:17:37 +0000 [info]: adding match pattern="fluentd.traffic" type="stdout"

When I use <match **.*> or <match **> (like simple in the example below) no flowcounter data is produced. 

<match *.**>
    @type flowcounter
    count_keys *
    unit       second
    aggregate  all
    tag        fluentd.traffic
</match>

<match fluentd.traffic>
@type stdout
</match>

Changing to a nonwildcard match like this:

<match system.**>
    @type flowcounter
    count_keys *
    unit       second
    aggregate  all
    tag        fluentd.traffic
</match>

<match fluentd.traffic>
@type stdout
</match>

Will produce flowcounter data as expected.

2016-01-06 21:17:33 +0000 fluentd.traffic: {"count":12,"bytes":3419,"count_rate":12.0,"bytes_rate":3419.0,"instance_hostname":"dev","instance_environment":"development","instance_purpose":"dev"}
2016-01-06 21:17:34 +0000 fluentd.traffic: {"count":4,"bytes":1402,"count_rate":4.0,"bytes_rate":1402.0,"instance_hostname":"dev","instance_environment":"development","instance_purpose":"dev"}
2016-01-06 21:17:35 +0000 fluentd.traffic: {"count":7,"bytes":2456,"count_rate":7.0,"bytes_rate":2456.0,"instance_hostname":"dev","instance_environment":"development","instance_purpose":"dev"}
2016-01-06 21:17:36 +0000 fluentd.traffic: {"count":7,"bytes":2442,"count_rate":7.0,"bytes_rate":2442.0,"instance_hostname":"dev","instance_environment":"development","instance_purpose":"dev"}

One odd thing I did notice is with my current testing config which uses out_copy to send data to ES, S3 and Flowcounter, the <match *.**> sends data to ES and S3 stores just fine but the flowcounter store which just tags so it can be shipped to influxdb doesn't work but it ends up in ES.

Here is a TL; DR of my config: 

# Ship all data to the aggregator over SSL
<match *.**>
@type copy

#Elasticsearch Secure Forward
  <store>
  @type secure_forward
 ... snip ...
  </store>

#S3 Secure Forward
  <store>
  @type secure_forward
  ... snip ...
  </store>

# Flowcounter
  <store>
    @type flowcounter
    count_keys *
    unit       second
    aggregate  all
    tag        fluentd.traffic
  </store>
</match>

<match fluentd.traffic>
  @type influxdb
... snip ...
</match>

The fluentd.traffic tag doesn't end up in influxdb (or @type stdout either) but it ends up in ES??

{
  "_index": "logstash-2016.01.06",
  "_type": "fluentd",
  "_id": "AVIY5HHU_Zv_C0vUl0n4",
  "_score": null,
  "_source": {
    "count": 3,
    "bytes": 453,
    "count_rate": 3,
    "bytes_rate": 453,
    "instance_hostname": "dev",
    "instance_environment": "development",
    "instance_purpose": "dev",
    "@log_name": "fluentd.traffic",
    "@timestamp": "2016-01-06T21:42:41+00:00"
  },
  "fields": {
    "@timestamp": [
      1452116561000
    ]
  },
  "sort": [
    1452116561000
  ]
}
tagomoris commented 8 years ago

It's just a misconfiguration. Your output records with tag fluentd.traffic are captured by <match *.**> section, not <match fluentd.traffic> section. Write <match fluentd.traffic> section before <match *.**> in configuration file.