Thanks for your answers, Rainer. That clarifies a lot!

Regarding upper limits, I'm aware that both workers and batch sizes defined
are maximums.

--
Performance Monitoring * Log Analytics * Search Analytics
Solr & Elasticsearch Support * http://sematext.com/

On Wed, Apr 8, 2015 at 1:51 PM, Rainer Gerhards <[email protected]>
wrote:

> 2015-04-08 12:43 GMT+02:00 Radu Gheorghe <[email protected]>:
> > Thanks Rainer! So let me see if I get this straight. Say I want to
> > mmnormalize some logs and then omelasticsearch them. I would (please
> > correct me where I'm wrong):
> >
> > - define a beefy main queue for buffering and everything
> > - add a mmnormalize action that will change events from the main queue.
> Can
> > I use queue.workerthreads to parallelize this? What about processing in
> > batches - does queue.dequeuebatchsize on the main queue govern that or
> it's
> > impossible?
> > - add a omelasticsearch action with no action queue (unless I want to
> copy
> > events from the main queue and process them async - say write them to ES
> > but also to a file). The ES bulk size would be queue.dequeuebatchsize of
> > the main queue and I can use multiple threads via queue.workerthreads
> >
> > Am I getting it right?
>
> sounds good, assuming this is your whole config (sounds so). Regarding
> the queue settings: they affect every action that's not runing on a
> separate queue. So if you define workers and batch sizes, they also
> apply to mmnormalize. Note that you define an *upper limit* on worker
> threads. Rsyslog will only spawn them if required (what's required is
> defined via other queue settings).
>
> Rainer
> >
> > --
> > Performance Monitoring * Log Analytics * Search Analytics
> > Solr & Elasticsearch Support * http://sematext.com/
> >
> > On Wed, Apr 8, 2015 at 12:28 PM, Rainer Gerhards <
> [email protected]>
> > wrote:
> >
> >> 2015-04-08 9:34 GMT+02:00 Radu Gheorghe <[email protected]>:
> >> > Hello,
> >> >
> >> > I have three questions about action queues:
> >> > 1) if I have a message modifier action (e.g. mmnormalize), should I
> add
> >> an
> >> > action queue for better performance?
> >>
> >> no, simply because that wouldn't work as expected. Remember that a
> >> queue runs async, so the modification would not get back to the
> >> original message object.
> >>
> >> > 2) what's the flow of messages if I have both mmnormalize and, say,
> >> > omelasticsearch? Messages flow from the main queue to mmnormalize's
> queue
> >> > (if any) and then back to the main queue to be processed by
> >> omelasticsearch?
> >>
> >> I guess I already answered this ;) With a queue, message objects are
> >> duplicated and never be injected back. that's the prime reason you
> >> want a queue.
> >>
> >> > 3) how does queue.dequeuebatchsize work if I have an action queue. For
> >> > example:
> >> >
> >> > * I have a main queue with dequeuebatchsize=100
> >> > * I have an omelasticsearch action with no queue (direct) and
> >> > dequeuebatchsize=1000 and BulkMode="on"
> >>
> >> dequeuebatchsize has no effect in direct mode.
> >>
> >> >
> >> > How many messages are sent to ES in a single bulk? 100? 1000? 1?
> >>
> >> at most 100 (fewer if the batch doesn't get full).
> >>
> >> > I can do a test to answer this last question, but I'd like to
> understand
> >> > how multiple actions and direct queues work. For example, I didn't
> notice
> >> > any difference in performance (during a benchmark) with and without an
> >> > action queue with mmnormalize. But maybe the bottleneck was somewhere
> >> else.
> >>
> >> queues always *cost* performance. If you need more concurrency, you
> >> should adjust the main or ruleset queue accordingly.
> >>
> >> HTH
> >> Rainer
> >> >
> >> > Best regards,
> >> > Radu
> >> > --
> >> > Performance Monitoring * Log Analytics * Search Analytics
> >> > Solr & Elasticsearch Support * http://sematext.com/
> >> > _______________________________________________
> >> > rsyslog mailing list
> >> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> >> > http://www.rsyslog.com/professional-services/
> >> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> >> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> myriad
> >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> >> DON'T LIKE THAT.
> >> _______________________________________________
> >> rsyslog mailing list
> >> http://lists.adiscon.net/mailman/listinfo/rsyslog
> >> http://www.rsyslog.com/professional-services/
> >> What's up with rsyslog? Follow https://twitter.com/rgerhards
> >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> >> DON'T LIKE THAT.
> >>
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Reply via email to