index free log analytics with kafka
play

Index-Free Log Analytics with Kafka Kresten Krab Thorup, Humio CTO - PowerPoint PPT Presentation

Oct 17, 2022 •541 likes •1.03k views

Index-Free Log Analytics with Kafka Kresten Krab Thorup, Humio CTO Log Everything, Answer Anything, In Real-Time. Log Analytics Wish List Record everything - TBs of data per day Interactive/ad-hoc search on historic data -

  1. Index-Free Log Analytics 
 with Kafka Kresten Krab Thorup, Humio CTO Log Everything, Answer Anything, In Real-Time.

  2. Log Analytics Wish List • Record everything - TB’s of data per day • Interactive/ad-hoc search on historic data - 100’s of TB • Generate metrics and alerts from the logs in real-time • Can be installed on-premises (privacy / security) • Affordable - TCO (hardware, license, operations)

  3. Data Driven SecOps Humio Alerts/dashboards 30k PC’s ~1M/sec CEP 6 AD’s 2k servers 20TB/day Log Store BRO network Incident Response

  4. Put Logs in an Index? High Volume Low Volume DATA INDEX

  5. Index-Free High Volume Low Volume DATA

  6. Index-Free DATA DATA High Volume Low Volume DATA DATA

  7. Index-Free DATA DATA High Volume Low Volume DATA DATA

  8. Index-Free WANT DATA TIME “INDEX” DATA High Volume Low Volume DATA DATA

  9. ALERTS & DASHBOARD Index-Free DATA Stream Query DATA Stream High Volume Query DATA Ad-Hoc Queries Stream DATA Query

  10. /error/i | count() Query State Machine State Machine count: 473 Event Store count: 243,565

  11. Log Store Design • Build minimal index and compress data Store order of magnitude more events • Fast “grep” for filtering events Filtering and time/metadata selection 
 reduces the problem space

  12. Event Store 10 GB (start-time, end-time, metadata) 10 GB (start-time, end-time, metadata) 10 GB (start-time, end-time, metadata) . . . 10 GB (start-time, end-time, metadata)

  13. Event Store 1 month x 30GB/day ingest 1 month x 1TB/day ingest 90GB data, <1 MB index 4TB data, <1 MB index 1 GB 40 MB (start-time, end-time, metadata) 1 GB (start-time, end-time, metadata) 40 MB compress 1 GB (start-time, end-time, metadata) 40 MB . . . . . . 1 GB (start-time, end-time, metadata) 40 MB Bloom Filters +4% overhead

  14. Query datasource #dc1, #web 1 GB 1 GB 1 GB 1 GB 1 GB #dc1, #app 1 GB 1 GB 1 GB #dc2, #web 1 GB 1 GB time

  15. Query 10 GB datasource #dc1, #web 1 GB 1 GB 1 GB 1 GB 1 GB #dc1, #app 1 GB 1 GB 1 GB #dc2, #web 1 GB 1 GB time

  16. #IndexFreeLogging + Real-time Processing Brute-Force Search • “Materialized views” 
 • Shift CPU load to 
 for dashboards/alerts. query time • Processed when data 
 • Data compression is in-memory anyway. • Filtering, not Indexing • Fast response times 
 • Requires “Full stack” 
 for “known” queries. ownership to perform 


  17. Humio Ingest Data Flow alerts / dashboards API/ Agent Digest Storage Ingest • Send data • HTTP/TCP API • Live queries • Replication • Authenticate • Write segment files • Field Extraction

  18. Use Kafka for the ‘hard parts’ • Coordination • Commit-log / ingest buffer • No KSQL

  19. Kafka 101 • Kafka is a reliable distributed log/queue system • A Kafka queue consists of a number of partitions • Messages within a partition are sequenced • Partitions are replicated for durability • Use ‘partition consumers’ to parallelise work

  20. Kafka 101 topic partition #1 consumer producer partition=hash(key) partition #2 consumer partition #3

  21. Coordination ‘global data’ • Zookeeper-like system in-process • All cluster node keep entire K/V set in memory • Make decisions locally/fast without crossing a network boundary. • Allows in-memory indexes of meta data.

  22. Coordination ‘global data’ • Coordinated via single-partition Kafka queue • Ops-based CRDT-style event sourcing • Bootstrap from snapshot from any node • Kafka config: low latency

  23. Durability • Don’t loose people’s data. • Control and manage data life expectancy • Store, Replicate, Archive, Multi-tier Data storage

  24. Durability Kafka Agent Ingest Digest Storage • Send data • Authenticate • Streaming queries • Replication • Field Extraction • Write segment files • Queries on ‘old data’

  25. Durability API/ Agent Kafka Ingest HTTP 200 response => Kafka ACK’ed the store

  26. File records last consumed 
 Durability sequence number from disk Digest WIP 
 Segment QE Kafka (buffer) Retention must be long enough to deal with crash

  27. Durability Digest WIP 
 Segment Ingest QE Kafka Kafka (buffer) ingest latency p50 p99

  30. Hash? topic partition #1 consumer producer ? partition=hash(key) partition #2 consumer partition #3

  31. Consumers falling behind… • Reasons: • Data volume • Processing time for real-time processing • Measure ingest latency • Increase parallelism when running 10s behind • Log scale (1, 2, 4, …) randomness added to key.

  32. Data Sources topic multiplexing partition #1 partition #2 … 100.000 … 100.000 partition #3

  33. Data Model * * Repository Data Source Event • Storage limits • Time series identified by 
 • Timestamp + 
 • User admin set of key-value ‘tags’ Map[String,String] Hash ( ) #type=accesslog,#host=ops01

  34. High variability tags ‘auto grouping’ • Tags (hash key) may be chosen with large value domain • User name • IP-address • This causes many datasources => growth in metadata, resource issues.

  35. High variability tags ‘auto grouping’ • Tags (hash key) may be chosen with large value domain • User name • IP-address • Humio sees this and hashes tag value into a smaller value domain before the Kafka partition hash.

  36. High variability tags ‘auto grouping’ • For example, before Kafka ingest hash(“kresten”) 
 #user=kresten => #user=13 • Store the actual value ‘ kresten ’ in the event • At query time, a search is then rewritten to search the data source #user=13 , and re-filter based on values.

  37. Multiplexing in Kafka • Ideally, we would just have 100.000 dynamic topics that perform well and scales infinitely. • In practice, you have to know your data, and control the sharding. Default Kafka configs work for many workloads, but for maximum utilisation you have to do go beyond defaults. • Humio automates this problem for log data w/ tags.

  38. Using Kafka in an on-prem Product • Leverage the stability and fault tolerance of Kafka • Large customers often have Kafka knowledge • We provide kafka/zookeeper docker images • Only real issue is Zookeper dependency • Often runs out of disk space in small setups

  39. Other Issues • Observed GC pauses in the JVM • Kafka and HTTP libraries compress data • JNI/GC interactions with byte[] can block global GC. • We replaced both with custom compression • JLibGzip (gzip in pure Java) • Zstd and LZ4/JNI using DirectByteBu ff er

  40. Resetting Kafka/Zookeeper • Kafka provides a ‘cluster id’ we can use as epoch • All Kafka sequence numbers (o ff sets) are reset • Recognise this situation, no replay beyond such a reset.

  41. What about KSQL? • Kafka now has KSQL which is in many ways similar to the engine we built • Humio moves computation to the data, • KSQL moves the data to the computation • We provide interactive end-user friendly experience

  42. Final thoughts • With #IndexFreeLogging you can eat your cake and have it too: fast, useful, low footprint logging. • Many di ffi cult problems go away by deferring them to Kafka.

  43. Thanks for your time. Kresten Krab Thorup Humio CTO

  44. Filter 1GB data

  45. Filter 1GB data

  46. Filter 1GB data

  47. Filter 1GB data

  48. Filter 1GB data

Recommend

FROM HTTP TO KAFKA-BASED FROM HTTP TO KAFKA-BASED MICROSERVICES MICROSERVICES Wojciech Rzsa,

FROM HTTP TO KAFKA-BASED FROM HTTP TO KAFKA-BASED MICROSERVICES MICROSERVICES Wojciech Rzsa,

7/17/2019 From HTTP to Kafka-based microservices FROM HTTP TO KAFKA-BASED FROM HTTP TO KAFKA-BASED MICROSERVICES MICROSERVICES Wojciech Rzsa, FLYR Poland @wrzasa localhost:4567/index.html?print-pdf#/ 1/83 From HTTP to Kafka-based

1.15k views • 83 slides
Streaming Log Analytics with Kafka Kresten Krab Thorup, Humio CTO Log Everything, Answer

Streaming Log Analytics with Kafka Kresten Krab Thorup, Humio CTO Log Everything, Answer

Streaming Log Analytics with Kafka Kresten Krab Thorup, Humio CTO Log Everything, Answer Anything, In Real-Time. Why this talk? Humio is a Log Analytics system Designed to run on-prem High volume, real time

860 views • 44 slides
How-to for real-time streaming and analytics at scale with Apache Kafka and Apache Ignite Viktor

How-to for real-time streaming and analytics at scale with Apache Kafka and Apache Ignite Viktor

How-to for real-time streaming and analytics at scale with Apache Kafka and Apache Ignite Viktor Gamov, Confluent, @gamussa Denis Magda, GridGain, @denismagda Digital Transformations Challenges Application Layer 10-100x more queries and

347 views • 18 slides
Kafka Needs No Keeper Colin McCabe 2 Introduction Kafka has gotten its mileage out of

Kafka Needs No Keeper Colin McCabe 2 Introduction Kafka has gotten its mileage out of

1 Kafka Needs No Keeper Colin McCabe 2 Introduction Kafka has gotten its mileage out of Zookeeper But it is still a second system KIP-500 has been adopted by the community This is not a 1-1 replacement Weve been

1.92k views • 124 slides
Introduction to Kafka Instructor: Ekpe Okorafor 1. Big Data Academy - Accenture 2. Computer

Introduction to Kafka Instructor: Ekpe Okorafor 1. Big Data Academy - Accenture 2. Computer

Introduction to Kafka Instructor: Ekpe Okorafor 1. Big Data Academy - Accenture 2. Computer Science - African University of Science &amp; Technology Agenda Introduction - Messaging Basics Kafka Architecture Kafka

555 views • 26 slides
Cr Cruise Co Control: Effo l: Effortle less M Manage gement o of K f Kafka fka Clu

Cr Cruise Co Control: Effo l: Effortle less M Manage gement o of K f Kafka fka Clu

Cr Cruise Co Control: Effo l: Effortle less M Manage gement o of K f Kafka fka Clu Clusters Adem Efe Gencer Senior Software Engineer LinkedIn Kafka: A Distributed Stream Processing Platform : High throughput &amp; low latency :

989 views • 50 slides
Kafka in Jail Running Kafka in container orchestrated clusters Sean Glover, Lightbend @seg1o

Kafka in Jail Running Kafka in container orchestrated clusters Sean Glover, Lightbend @seg1o

Kafka in Jail Running Kafka in container orchestrated clusters Sean Glover, Lightbend @seg1o Who am I? Im Sean Glover Senior Software Engineer at Lightbend Member of the Fast Data Platform team Contributor to various projects in

788 views • 60 slides
Apache Kafka + Apache Mesos Highly Scalable Streaming Microservices with Kafka Streams Kai

Apache Kafka + Apache Mesos Highly Scalable Streaming Microservices with Kafka Streams Kai

Apache Kafka + Apache Mesos Highly Scalable Streaming Microservices with Kafka Streams Kai Waehner Technology Evangelist kontakt@kai-waehner.de LinkedIn @KaiWaehner www.kai-waehner.de Confidential 1 Abstract Microservices establish many

977 views • 44 slides
real-time alerting, analytics and reporting at scale with Apache Kafka and Apache Ignite

real-time alerting, analytics and reporting at scale with Apache Kafka and Apache Ignite

1 real-time alerting, analytics and reporting at scale with Apache Kafka and Apache Ignite @denismagda | @jwfbean | @IMCSUMMIT @denismagda | @jwfbean 2 Hello @jwfbean @denismagda @denismagda | @jwfbean | @IMCSUMMIT

368 views • 25 slides
Day 3 Lab1: Spark Streaming with Kafka Example Introductions In this example, we will write a

Day 3 Lab1: Spark Streaming with Kafka Example Introductions In this example, we will write a

Day 3 Lab1: Spark Streaming with Kafka Example Introductions In this example, we will write a Spark Streaming program that consumes messages from Kafka. We will reuse the whole setup from the previous lab, so this lab is best done as a

233 views • 4 slides
High throughput High throughput kafka for science kafka for science Testing Kafkas limits

High throughput High throughput kafka for science kafka for science Testing Kafkas limits

High throughput High throughput kafka for science kafka for science Testing Kafkas limits for science J Wyngaard, PhD wyngaard@jpl.nasa.gov UTLINE O UTLINE O Streaming Science Data Benchmark Context Tests and Results

473 views • 30 slides
Day 4 Lab1: Docker container for Kafka - Spark streaming - Cassandra This Dockerfile sets up

Day 4 Lab1: Docker container for Kafka - Spark streaming - Cassandra This Dockerfile sets up

Day 4 Lab1: Docker container for Kafka - Spark streaming - Cassandra This Dockerfile sets up a complete streaming environment for experimenting with Kafka, Spark streaming (PySpark), and Cassandra. It installs Kafka 0.10.2.1 Spark 2.1.1

156 views • 4 slides
Apache Kafka Real-Time Data Pipelines http://kafka.apache.org/ Joe Stein Developer,

Apache Kafka Real-Time Data Pipelines http://kafka.apache.org/ Joe Stein Developer,

Apache Kafka Real-Time Data Pipelines http://kafka.apache.org/ Joe Stein Developer, Architect &amp; Technologist Founder &amp; Principal Consultant =&gt; Big Data Open Source Security LLC - http://stealth.ly Big Data Open Source

637 views • 40 slides
Free presentation tool for mac Free presentation tool for mac.zip Which Prezi plan is right for

Free presentation tool for mac Free presentation tool for mac.zip Which Prezi plan is right for

Free presentation tool for mac Free presentation tool for mac.zip Which Prezi plan is right for you? Try FREE; Unlimited presentations: along with powerful analytics and collaboration tools.as iWork, and it's free to anyone who owns a post-2013

580 views • 4 slides
READING KAFKA IN QATAR Qatar-TESOL Conference, April 2011 Magdalena Rostron Academic Bridge

READING KAFKA IN QATAR Qatar-TESOL Conference, April 2011 Magdalena Rostron Academic Bridge

READING KAFKA IN QATAR Qatar-TESOL Conference, April 2011 Magdalena Rostron Academic Bridge Program Qatar Foundation, Doha, Qatar mrostron@qf.org.qa Introduction my story Reading Kafka In Qatar Reading Kafka in Qatar

562 views • 10 slides
Blockchain consensus Protocols in the Wild Tao Wang, Lihang Pan ECS 265 Apache Kafka

Blockchain consensus Protocols in the Wild Tao Wang, Lihang Pan ECS 265 Apache Kafka

Blockchain consensus Protocols in the Wild Tao Wang, Lihang Pan ECS 265 Apache Kafka (CFT) PBFT (BFT) Kafka Architecture ISR (in- sync) {b1,b2,b3} b1 b2 b3 Photo credit to Apache

2.57k views • 32 slides
INTEGRATING SYSTEMS INTEGRATING SYSTEMS IN THE AGE OF IN THE AGE OF QUARKUS, KNATIVE AND KAFKA

INTEGRATING SYSTEMS INTEGRATING SYSTEMS IN THE AGE OF IN THE AGE OF QUARKUS, KNATIVE AND KAFKA

Sponsorslides INTEGRATING SYSTEMS INTEGRATING SYSTEMS IN THE AGE OF IN THE AGE OF QUARKUS, KNATIVE AND KAFKA CONNECT QUARKUS, KNATIVE AND KAFKA CONNECT Peter Palaga @ppalaga The original reveal.js presentation this PDF was created from is

1.05k views • 93 slides
Cloud-Native and Scalable Kafka Allen Wang @allenxwang About Me Real Time Data

Cloud-Native and Scalable Kafka Allen Wang @allenxwang About Me Real Time Data

Cloud-Native and Scalable Kafka Allen Wang @allenxwang About Me Real Time Data Infrastructure @ Netflix Apache Kafka contributor (KIP-36 Rack Aware Assignment) NetflixOSS contributor (Archaius and Ribbon) Previously Cloud

722 views • 44 slides
Real Time Data Analytics @ Uber Ankur Bansal November 14, 2016 About Me Sr. Software Engineer,

Real Time Data Analytics @ Uber Ankur Bansal November 14, 2016 About Me Sr. Software Engineer,

Real Time Data Analytics @ Uber Ankur Bansal November 14, 2016 About Me Sr. Software Engineer, Streaming Team @ Uber Streaming team supports platform for real time data analytics: Kafka, Samza, Flink, Pinot.. and plenty more

1.91k views • 71 slides
Burrows-Wheeler Transform and FM Index Ben Langmead You are free to use these slides. If you do,

Burrows-Wheeler Transform and FM Index Ben Langmead You are free to use these slides. If you do,

Burrows-Wheeler Transform and FM Index Ben Langmead You are free to use these slides. If you do, please sign the guestbook (www.langmead-lab.org/teaching-materials), or email me (ben.langmead@gmail.com) and tell me brie fl y how youre using

978 views • 41 slides
Google Analytics Overview Whats Google Analytics? The Google Analytics

Google Analytics Overview Whats Google Analytics? The Google Analytics

Google Analytics Overview Whats Google Analytics? The Google Analytics implementation formula. Steps involved in installing Google Analytics. Tracking events, campaigns and ecommerce data. Creating goals and funnels

652 views • 40 slides
Period Index: A Learned 2D Hash Index for Range and Duration Queries Andreas Behrend 1 os 2 Johann

Period Index: A Learned 2D Hash Index for Range and Duration Queries Andreas Behrend 1 os 2 Johann

Period Index: A Learned 2D Hash Index for Range and Duration Queries Andreas Behrend 1 os 2 Johann Gamper 2 Anton Dign Philip Schmiegelt 3 Hannes Voigt 4 Matthias Rottmann 5 Karsten Kahl 5 1 University of Bonn, Germany 2 Free University of

871 views • 30 slides
ASSET LEVEL INDEX Further improving transparency of the non-listed real estate industry INREV

ASSET LEVEL INDEX Further improving transparency of the non-listed real estate industry INREV

ASSET LEVEL INDEX Further improving transparency of the non-listed real estate industry INREV Vitaliy Tonenchuk April 2019 Senior Research and Analytics Manager Contents How it started How big the index will be How you can

700 views • 37 slides
Towards a new ITU index Progress report on framework development ITU TDAG Web Dialogue, 25 March

Towards a new ITU index Progress report on framework development ITU TDAG Web Dialogue, 25 March

Towards a new ITU index Progress report on framework development ITU TDAG Web Dialogue, 25 March 2020 ICT Data and Analytics Division Telecommunication Development Bureau International Telecommunication Union Why a new index? Demand for a

263 views • 14 slides

More recommend