streaming log analytics with kafka
play

Streaming Log Analytics with Kafka Kresten Krab Thorup, Humio CTO - PowerPoint PPT Presentation

Mar 10, 2024 •408 likes •860 views

Streaming Log Analytics with Kafka Kresten Krab Thorup, Humio CTO Log Everything, Answer Anything, In Real-Time. Why this talk? Humio is a Log Analytics system Designed to run on-prem High volume, real time

  1. Streaming Log Analytics 
 with Kafka Kresten Krab Thorup, Humio CTO Log Everything, Answer Anything, In Real-Time.

  2. Why this talk? • Humio is a Log Analytics system • Designed to run “on-prem” • High volume, real time responsiveness. • We decided to delegate the ‘hard parts’ of distributed systems to Kafka. This is a talk about our experiences.

  3. Data Driven SecOps Humio Alerts/dashboards 30k PC’s ~1M/sec CEP 6 AD’s 2k servers 20TB/day Log Store BRO network Incident Response

  4. Humio Ingest Data Flow API/ Agent Digest Storage Ingest • Send data • HTTP/TCP API • Streaming queries • Replication • Authenticate • Write segment files • Field Extraction

  5. /error/i | count() Query State Machine State Machine count: 473 Event Store count: 243,565

  6. Humio Query Flow Browser API Digest Storage • Start Query • Initiate Query • Provide results for 
 • Provide results for 
 • Poll Status • Merge results live data 
 historic data 
 • Schedule polls (materialized view) (ad-hoc query)

  7. Real-time Processing Brute-Force Search • “Materialized views” 
 • Shift CPU load to 
 for dashboards/alerts. query time • Processed when data 
 • Data compression is in-memory anyway. • Allows ad-hoc queries • Fast response times 
 • Requires “Full stack” 
 for “known” queries. ownership 


  8. Use Kafka for the ‘hard parts’ • Coordination • Commit-log / ingest buffer • Transient data • No KSQL

  9. Kafka 101 • Kafka is a reliable distributed log/queue system • A Kafka queue consists of a number of partitions • Messages within a partition are sequenced • Partitions are replicated for durability • Use ‘partition consumers’ to parallelise work

  10. Kafka 101 topic partition #1 consumer producer partition=hash(key) partition #2 consumer partition #3

  11. Coordination ‘global data’ • Zookeeper-like system in-process • Hierarchical key/value store • Make decisions locally/fast without crossing a network boundary. • Allows in-memory indexes of meta data.

  12. Coordination ‘global data’ • Coordinated via single-partition Kafka queue • Ops-based CRDT-style event sourcing • Bootstrap from snapshot from any node • Kafka config: low latency

  13. Log Store Design • Build minimal index and compress data Store order of magnitude more events • Fast “grep” for filtering events Filtering and time/metadata selection 
 reduces the problem space

  14. Event Store 10 GB (start-time, end-time, metadata) 10 GB (start-time, end-time, metadata) 10 GB (start-time, end-time, metadata) . . . 10 GB (start-time, end-time, metadata)

  15. Event Store 1 month x 30GB/day ingest 1 month x 1TB/day ingest 90GB data, <1 MB index 4TB data, <1 MB index 1 GB (start-time, end-time, metadata) 1 GB (start-time, end-time, metadata) compress 1 GB (start-time, end-time, metadata) . . . 1 GB (start-time, end-time, metadata)

  16. Query datasource #ds1, #web 1 GB 1 GB 1 GB 1 GB 1 GB #ds1, #app 1 GB 1 GB 1 GB #ds2, #web 1 GB 1 GB time

  17. Query 10 GB datasource #ds1, #web 1 GB 1 GB 1 GB 1 GB 1 GB #ds1, #app 1 GB 1 GB 1 GB #ds2, #web 1 GB 1 GB time

  18. Humio Query Flow Browser API Digest Storage • Start Query • Schedule Query • Provide results for 
 • Provide results for 
 • Poll Status • Merge results live data 
 historic data 
 (materialized view) (ad-hoc query)

  19. Durability • Don’t loose people’s data. • Control and manage data life expectancy • Store, Replicate, Archive, Multi-tier Data storage

  20. Durability Kafka Agent Ingest Digest Storage • Send data • Authenticate • Streaming queries • Replication • Field Extraction • Write segment files • Queries on ‘old data’

  21. Durability API/ Agent Kafka Ingest HTTP 200 response => Kafka ACK’ed the store

  22. File records last consumed 
 Durability sequence number from disk Digest WIP 
 Segment QE Kafka (buffer) Retention must be long enough to deal with crash

  23. Durability Digest WIP 
 Segment Ingest QE Kafka Kafka (buffer) ingest latency p50 p99

  26. Hash? topic partition #1 consumer producer ? partition=hash(key) partition #2 consumer partition #3

  27. Partitions falling behind… • Reasons: • Data volume • Processing time for real-time processing • Measure ingest latency • Increase parallelism when running 10s behind • Log scale (1, 2, 4, …) randomness added to key.

  28. Data Sources topic multiplexing partition #1 partition #2 … 100.000 … 100.000 partition #3

  29. Data Model * * Repository Data Source Event • Storage limits • Time series identified by 
 • Timestamp + 
 • User admin set of key-value ‘tags’ Map[String,String] Hash ( ) #type=accesslog,#host=ops01

  30. High variability tags ‘auto grouping’ • Tags (hash key) may be chosen with large value domain • User name • IP-address • This causes many datasources => growth in metadata, resource issues.

  31. High variability tags ‘auto grouping’ • Tags (hash key) may be chosen with large value domain • User name • IP-address • Humio sees this and hashes tag value into a smaller value domain before the Kafka partition hash.

  32. High variability tags ‘auto grouping’ • For example, before Kafka ingest hash(“kresten”) 
 #user=kresten => #user=13 • Store the actual value ‘ kresten ’ in the event • At query time, a search is then rewritten to search the data source #user=13 , and re-filter based on values.

  33. Multiplexing in Kafka • Ideally, we would just have 100.000 dynamic topics that perform well and scales infinitely. • In practice, you have to know your data, and control the sharding. Default Kafka configs work for many workloads, but for maximum utilisation you have to do go beyond defaults.

  34. Using Kafka in an on-prem Product • Leverage the stability and fault tolerance of Kafka • Large customers often have Kafka knowledge • We provide kafka/zookeeper docker images • Only real issue is Zookeper dependency • Often runs out of disk space in small setups

  35. Other Issues • Observed GC pauses in the JVM • Kafka and HTTP libraries compress data • JNI/GC interactions with byte[] can block global GC. • We replaced both with custom compression • JLibGzip (gzip in pure Java) • LZ4/JNI using DirectByteBu ff er

  36. Resetting Kafka/Zookeeper • Kafka provides a ‘cluster id’ we can use as epoch • All Kafka sequence numbers (o ff sets) are reset • Recognise this situation, no replay beyond such a reset.

  37. What about KSQL? • Kafka now has KSQL which is in many ways similar to the engine we built • Humio moves computation to the data, • KSQL moves the data to the computation • We provide interactive end-user friendly experience

  38. Final thoughts • Many di ffi cult problems go away by using Kafka. • We’ve been happy with the decision to defer the ‘hard parts’ of distributed systems to Kafka. • Some day we may build our own persistent commit log, but for how it is not worth the trouble.

  39. Thanks for your time. Kresten Krab Thorup Humio CTO

  40. Filter 1GB data

  41. Filter 1GB data

  42. Filter 1GB data

  43. Filter 1GB data

  44. Filter 1GB data

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

How-to for real-time streaming and analytics at scale with Apache Kafka and Apache Ignite Viktor

How-to for real-time streaming and analytics at scale with Apache Kafka and Apache Ignite Viktor

How-to for real-time streaming and analytics at scale with Apache Kafka and Apache Ignite Viktor Gamov, Confluent, @gamussa Denis Magda, GridGain, @denismagda Digital Transformations Challenges Application Layer 10-100x more queries and

347 views • 18 slides
Day 3 Lab1: Spark Streaming with Kafka Example Introductions In this example, we will write a

Day 3 Lab1: Spark Streaming with Kafka Example Introductions In this example, we will write a

Day 3 Lab1: Spark Streaming with Kafka Example Introductions In this example, we will write a Spark Streaming program that consumes messages from Kafka. We will reuse the whole setup from the previous lab, so this lab is best done as a

233 views • 4 slides
Day 4 Lab1: Docker container for Kafka - Spark streaming - Cassandra This Dockerfile sets up

Day 4 Lab1: Docker container for Kafka - Spark streaming - Cassandra This Dockerfile sets up

Day 4 Lab1: Docker container for Kafka - Spark streaming - Cassandra This Dockerfile sets up a complete streaming environment for experimenting with Kafka, Spark streaming (PySpark), and Cassandra. It installs Kafka 0.10.2.1 Spark 2.1.1

156 views • 4 slides
Apache Kafka + Apache Mesos Highly Scalable Streaming Microservices with Kafka Streams Kai

Apache Kafka + Apache Mesos Highly Scalable Streaming Microservices with Kafka Streams Kai

Apache Kafka + Apache Mesos Highly Scalable Streaming Microservices with Kafka Streams Kai Waehner Technology Evangelist kontakt@kai-waehner.de LinkedIn @KaiWaehner www.kai-waehner.de Confidential 1 Abstract Microservices establish many

977 views • 44 slides
Real Time Data Analytics @ Uber Ankur Bansal November 14, 2016 About Me Sr. Software Engineer,

Real Time Data Analytics @ Uber Ankur Bansal November 14, 2016 About Me Sr. Software Engineer,

Real Time Data Analytics @ Uber Ankur Bansal November 14, 2016 About Me Sr. Software Engineer, Streaming Team @ Uber Streaming team supports platform for real time data analytics: Kafka, Samza, Flink, Pinot.. and plenty more

1.91k views • 71 slides
Real Time Aggregation with Kafka ,Spark Streaming and ElasticSearch , scalable beyond Million RPS

Real Time Aggregation with Kafka ,Spark Streaming and ElasticSearch , scalable beyond Million RPS

Real Time Aggregation with Kafka ,Spark Streaming and ElasticSearch , scalable beyond Million RPS Dibyendu B Dataplatform Engineer, InstartLogic 1 Who We are 2 3 Dataplatform : Streaming Channel Ad-hoc queries, offline queries

579 views • 31 slides
Apache Spark Streaming, Kafka and HarmonicIO: A Performance Benchmark and Architecture Comparison

Apache Spark Streaming, Kafka and HarmonicIO: A Performance Benchmark and Architecture Comparison

Apache Spark Streaming, Kafka and HarmonicIO: A Performance Benchmark and Architecture Comparison for Enterprise and Scientific Computing Ben Blamey, Andreas Hellander and Salman Toor Uppsala University, Sweden Ben.Blamey@it.uu.se Bench19,

474 views • 20 slides
Index-Free Log Analytics with Kafka Kresten Krab Thorup, Humio CTO Log Everything, Answer

Index-Free Log Analytics with Kafka Kresten Krab Thorup, Humio CTO Log Everything, Answer

Index-Free Log Analytics with Kafka Kresten Krab Thorup, Humio CTO Log Everything, Answer Anything, In Real-Time. Log Analytics Wish List Record everything - TBs of data per day Interactive/ad-hoc search on historic data -

1.03k views • 48 slides
Streaming Design Patterns Using Alpakka Kafka Connector Sean Glover, Lightbend @seg1o Who am I?

Streaming Design Patterns Using Alpakka Kafka Connector Sean Glover, Lightbend @seg1o Who am I?

Streaming Design Patterns Using Alpakka Kafka Connector Sean Glover, Lightbend @seg1o Who am I? Im Sean Glover Principal Engineer at Lightbend Member of the Lightbend Pipelines team Organizer of Scala Toronto (scalator)

1.15k views • 86 slides
High throughput High throughput kafka for science kafka for science Testing Kafkas limits

High throughput High throughput kafka for science kafka for science Testing Kafkas limits

High throughput High throughput kafka for science kafka for science Testing Kafkas limits for science J Wyngaard, PhD wyngaard@jpl.nasa.gov UTLINE O UTLINE O Streaming Science Data Benchmark Context Tests and Results

473 views • 30 slides
Massive Streaming Data Analytics: A Case Study with Clustering Coefficients Davi vid Ediger,

Massive Streaming Data Analytics: A Case Study with Clustering Coefficients Davi vid Ediger,

Massive Streaming Data Analytics: A Case Study with Clustering Coefficients Davi vid Ediger, Karl Jiang, Jason Riedy and David A. Bader Overview Motivation A Framework for Massive Streaming hello Data Analytics STINGER

385 views • 22 slides
Multi-Query Optimization in Wide-Area Streaming Analytics Albert Jonathan, Abhishek Chandra, Jon

Multi-Query Optimization in Wide-Area Streaming Analytics Albert Jonathan, Abhishek Chandra, Jon

Multi-Query Optimization in Wide-Area Streaming Analytics Albert Jonathan, Abhishek Chandra, Jon Weissman University of Minnesota Wide-Area Streaming Analytics Real-time analysis over large continuous data streams generated at the edge

316 views • 19 slides
FROM HTTP TO KAFKA-BASED FROM HTTP TO KAFKA-BASED MICROSERVICES MICROSERVICES Wojciech Rzsa,

FROM HTTP TO KAFKA-BASED FROM HTTP TO KAFKA-BASED MICROSERVICES MICROSERVICES Wojciech Rzsa,

7/17/2019 From HTTP to Kafka-based microservices FROM HTTP TO KAFKA-BASED FROM HTTP TO KAFKA-BASED MICROSERVICES MICROSERVICES Wojciech Rzsa, FLYR Poland @wrzasa localhost:4567/index.html?print-pdf#/ 1/83 From HTTP to Kafka-based

1.15k views • 83 slides
Aggregation and Degradation in JetStream: Streaming Analytics in the Wide Area Ariel Rabkin

Aggregation and Degradation in JetStream: Streaming Analytics in the Wide Area Ariel Rabkin

Aggregation and Degradation in JetStream: Streaming Analytics in the Wide Area Ariel Rabkin Princeton University asrabkin@cs.princeton.edu Work done with Matvey Arye, Siddhartha Sen, Vivek S. Pai, and Michael J. Freedman Todays Analytics

766 views • 28 slides
An Open-Source Streaming Machine Learning and Real-Time Analytics Architecture Using an IoT

An Open-Source Streaming Machine Learning and Real-Time Analytics Architecture Using an IoT

An Open-Source Streaming Machine Learning and Real-Time Analytics Architecture Using an IoT example (incubating) (incubating) Fred Melo William Markito @fredmelo_br @william_markito 1 Traditional Data Analytics - Limitations Store

289 views • 26 slides
Kafka Needs No Keeper Colin McCabe 2 Introduction Kafka has gotten its mileage out of

Kafka Needs No Keeper Colin McCabe 2 Introduction Kafka has gotten its mileage out of

1 Kafka Needs No Keeper Colin McCabe 2 Introduction Kafka has gotten its mileage out of Zookeeper But it is still a second system KIP-500 has been adopted by the community This is not a 1-1 replacement Weve been

1.92k views • 124 slides
Waterloo Wellington Diabetes Regional Coordination Centre (RCC) November 2011 Host Organization

Waterloo Wellington Diabetes Regional Coordination Centre (RCC) November 2011 Host Organization

Waterloo Wellington Diabetes Regional Coordination Centre (RCC) November 2011 Host Organization Ontario MOHLTC Chronic Disease Prevention and Management Strategy (CDPM) Transformation from illness focus to wellness focus

420 views • 19 slides
Mining Regulation (ESDM) Ministerial Decree No. 7/ 2014 : Reclamation &amp; Post Closure

Mining Regulation (ESDM) Ministerial Decree No. 7/ 2014 : Reclamation &amp; Post Closure

Mining Regulation (ESDM) Ministerial Decree No. 7/ 2014 : Reclamation &amp; Post Closure AMDAL (EIA Environment Impact Assessment Document) Feasibility Study Reclamation Guarantee (5 years basis) RTKKL &amp; RKAB (yearly

422 views • 15 slides
Application No: DC/19/02363 Address: Land at Hill House Lane, Needham Market Slide 2 Site

Application No: DC/19/02363 Address: Land at Hill House Lane, Needham Market Slide 2 Site

Slide 1 Application No: DC/19/02363 Address: Land at Hill House Lane, Needham Market Slide 2 Site Location Plan Slide 3 Constraints Map Slide 4 Aerial Map Aerial Map wider view Slide 5 Slide 6 Site Location Plan Slide 7 Site Layout

657 views • 11 slides
Provisional Designation of JCM TPE Capacity Building for Local Entities Indonesia JCM Secretariat

Provisional Designation of JCM TPE Capacity Building for Local Entities Indonesia JCM Secretariat

Provisional Designation of JCM TPE Capacity Building for Local Entities Indonesia JCM Secretariat Training for Validation-Verification Agency Candidates Jakarta, 26 January 2015 Scheme of the JCM between Indonesia-Japan 2 Designation of a

215 views • 10 slides
Association Summary Establishment : in 1964 Executive Board : 15 persons Member : 51

Association Summary Establishment : in 1964 Executive Board : 15 persons Member : 51

Session 4 : Protection of migrant workers in the fishing industry during recruitment and employment Protection during Employment by Mr. Kamolsak Lertpaiboon Secretary-General of NFAT 13 Sep. 2013. Association Summary

261 views • 15 slides
COMPANY PR OF IL E 1 20/ 03/ 2018 Sun For The Future CONT E NT S Vision &amp;

COMPANY PR OF IL E 1 20/ 03/ 2018 Sun For The Future CONT E NT S Vision &amp;

Sun For The Future COMPANY PR OF IL E 1 20/ 03/ 2018 Sun For The Future CONT E NT S Vision &amp; Mission Ke y De ve lopme nt Mile stone s Por tfolios &amp; Dive r sific ation (T o ta ling 298.42 MW PPA) Inve

463 views • 27 slides
Significant benefit of OMPs Industry views Adam Heathfield, Pfizer Co-Chair of EFPIA/EuropaBio

Significant benefit of OMPs Industry views Adam Heathfield, Pfizer Co-Chair of EFPIA/EuropaBio

Significant benefit of OMPs Industry views Adam Heathfield, Pfizer Co-Chair of EFPIA/EuropaBio Joint Task Force on Rare Diseases and Orphan Medicinal Products Positive benefits of Orphan Medicines regulation in the EU Industry values the

479 views • 13 slides
DNSSEC Workshop Singapore ICANN Meeting 22 June 2011 1 Program Committee Steve Crocker,

DNSSEC Workshop Singapore ICANN Meeting 22 June 2011 1 Program Committee Steve Crocker,

DNSSEC Workshop Singapore ICANN Meeting 22 June 2011 1 Program Committee Steve Crocker, Shinkuro, Inc. Simon McCalla, Nominet Russ Mundy, Cobham Lance Wolak, Public Interest Registry Julie Hedlund, ICANN Sponsors

136 views • 13 slides

More recommend