Thanks Rainer! So let me see if I get this straight. Say I want to
mmnormalize some logs and then omelasticsearch them. I would (please
correct me where I'm wrong):

- define a beefy main queue for buffering and everything
- add a mmnormalize action that will change events from the main queue. Can
I use queue.workerthreads to parallelize this? What about processing in
batches - does queue.dequeuebatchsize on the main queue govern that or it's
impossible?
- add a omelasticsearch action with no action queue (unless I want to copy
events from the main queue and process them async - say write them to ES
but also to a file). The ES bulk size would be queue.dequeuebatchsize of
the main queue and I can use multiple threads via queue.workerthreads

Am I getting it right?

--
Performance Monitoring * Log Analytics * Search Analytics
Solr & Elasticsearch Support * http://sematext.com/

On Wed, Apr 8, 2015 at 12:28 PM, Rainer Gerhards <[email protected]>
wrote:

> 2015-04-08 9:34 GMT+02:00 Radu Gheorghe <[email protected]>:
> > Hello,
> >
> > I have three questions about action queues:
> > 1) if I have a message modifier action (e.g. mmnormalize), should I add
> an
> > action queue for better performance?
>
> no, simply because that wouldn't work as expected. Remember that a
> queue runs async, so the modification would not get back to the
> original message object.
>
> > 2) what's the flow of messages if I have both mmnormalize and, say,
> > omelasticsearch? Messages flow from the main queue to mmnormalize's queue
> > (if any) and then back to the main queue to be processed by
> omelasticsearch?
>
> I guess I already answered this ;) With a queue, message objects are
> duplicated and never be injected back. that's the prime reason you
> want a queue.
>
> > 3) how does queue.dequeuebatchsize work if I have an action queue. For
> > example:
> >
> > * I have a main queue with dequeuebatchsize=100
> > * I have an omelasticsearch action with no queue (direct) and
> > dequeuebatchsize=1000 and BulkMode="on"
>
> dequeuebatchsize has no effect in direct mode.
>
> >
> > How many messages are sent to ES in a single bulk? 100? 1000? 1?
>
> at most 100 (fewer if the batch doesn't get full).
>
> > I can do a test to answer this last question, but I'd like to understand
> > how multiple actions and direct queues work. For example, I didn't notice
> > any difference in performance (during a benchmark) with and without an
> > action queue with mmnormalize. But maybe the bottleneck was somewhere
> else.
>
> queues always *cost* performance. If you need more concurrency, you
> should adjust the main or ruleset queue accordingly.
>
> HTH
> Rainer
> >
> > Best regards,
> > Radu
> > --
> > Performance Monitoring * Log Analytics * Search Analytics
> > Solr & Elasticsearch Support * http://sematext.com/
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Reply via email to