So internally, Riemann just creates a clojure hashmap for each event {host:
blah, metric: foo, ttl: 60, ... }.

It holds a snapshot of recent events in memory, and it indexes certain
fields - host, service etc.

You can add whatever additional attributes you like, because riemann will
just add them to the map. They operate a little slower than the built-in
fields, but you can work with them in the same way:
http://riemann.io/howto.html#custom-event-attributes

On Mon, 5 Dec 2016 at 12:29 David Lang <[email protected]> wrote:

> I still have a question about what the attributes are. They weren't
> mentioned
> in the video you posted.
>
> David Lang
>
> On Mon, 5 Dec 2016, Bob Gregory wrote:
>
> > Date: Mon, 05 Dec 2016 12:26:17 +0000
> > From: Bob Gregory <[email protected]>
> > Reply-To: rsyslog-users <[email protected]>
> > To: rsyslog-users <[email protected]>
> > Subject: Re: [rsyslog] omriemann configuration (was musing on ERK stack)
> >
> >> what about status? is it normally/commonly left blank?
> >
> > It depends on the use case, for something like cpu usage, the state would
> > be blank; likewise for rsyslog message throughput. I would expect to see
> a
> > state for something like monitoring redis operations, or HTTP calls,
> where
> > the metric represents the latency of an operation, and the state is "ok"
> if
> > the operation succeeded, otherwise "error".
> >
> > This is really my point, that most of the fields are left empty in most
> > cases - you're right that there's a lot of flexibility in how to
> represent
> > an event, and it's really down to an end-user to understand how they want
> > to format their data.
> >
> >> as long as the syntax checker for the module can report a config error
> if
> > you
> >> don't have at least one
> >
> > Works for me.
> >
> > -- Bob.
> >
> >
> > On Mon, 5 Dec 2016 at 12:20 David Lang <[email protected]> wrote:
> >
> >> On Mon, 5 Dec 2016, Bob Gregory wrote:
> >>
> >>> Yo yo, David.
> >>>
> >>> I think you're convincing me, at least on the service/programname. That
> >>> means we can default all of the required host, service, timestamp
> >> fields. I
> >>> also like the simpler approach of using the fractional part to decide
> >> which
> >>> kind of metric we're sending. That's a better user-experience.
> >>>
> >>> I still feel reasonably strongly that we oughtn't to default the other
> >>> fields, since the usual case of riemann is for them to be absent.
> >>>
> >>> Are you satisfied with the host, service, timestamp fields having
> >> defaults?
> >>> That means that the following
> >>>
> >>> action(type="omriemann" metric="1") will send {host:$hostname, time:
> >>> $timereported,   service: $programname}
> >>>
> >>> While it's not going to be very useful, it's at least something you can
> >>> dump to console on the Riemann host and see that data are flowing.
> >>
> >> what about status? is it normally/commonly left blank?
> >>
> >> as long as the syntax checker for the module can report a config error
> if
> >> you
> >> don't have at least one of description, metric, status defined in an
> >> action()
> >> call (with an error message that will make it obvious to the admin why
> >> they are
> >> getting the error)
> >>
> >> David Lang
> >>
> >>>
> >>>
> >>> On Mon, 5 Dec 2016 at 11:39 David Lang <[email protected]> wrote:
> >>>
> >>> On Mon, 5 Dec 2016, Bob Gregory wrote:
> >>>
> >>>> @ David Lang, moving omriemann discussion back over here.
> >>>>
> >>>>> we need to try and come up with a reasonable default value for
> >>> parameters.
> >>>>
> >>>> I think I disagree with that. Most of the fields aren't required, and
> we
> >>>> shouldn't send them unless configured otherwise. The intention isn't
> >> that
> >>>> all logs will go to riemann, but only a small subset of logs, after
> >> being
> >>>> substantially transformed.
> >>>
> >>> the biggest thing we need to do is make sure that whatever the user
> >>> attempts to
> >>> send should not stall the feed, so it will either need to be discarded
> >>> (IMHO a
> >>> bad idea) or 'fixed up' if it's not valid.
> >>>
> >>>> * Description is an unusual field to include - I definitely wouldn't
> >>>> include the entire log message as a default.
> >>>> * The programname makes little sense as a service. IF I see that
> "nginx"
> >>> or
> >>>> "rsyslog" is oscillating between 20 and 57 on a graph, what does that
> >> tell
> >>>> me?
> >>>
> >>> the number of lines of rsyslog data you are getting if nothing else
> >> (which
> >>> may be something you want to monitor :-)
> >>>
> >>> again, I'm trying to make the defaults do something sane if nothing is
> >>> configured. It's better to have someone do a trivial configuration and
> >> get
> >>> flooded with data than to have them have to get a lot of things right
> >> before
> >>> anything shows up.
> >>>
> >>>> * TTL can be defaulted by Riemann. We shouldn't set it to 0. I'm not
> >>>> actually sure what happens with a TTL of 0, I'd guess the event
> >>> immediately
> >>>> expires, which would be problematic for many cases.
> >>>
> >>> Ok, as long as Riemann is designed to survive when no TTL is provided.
> >>>
> >>>> * The tags as used by rsyslog are unlikely to map meaningfully to the
> >> tags
> >>>> used by riemann because they have very different use cases. I  mostly
> >> use
> >>>> tags in rsyslog to tell me whether my logs are json, or HTTP access
> >> logs,
> >>>> or PHP exceptions etc so that I know how to handle the output of
> >>> mmnormalize
> >>>> - that's not useful data in my monitoring stack.
> >>>
> >>> again, I'm looking to set a default that has a chance of working, if
> you
> >> are
> >>> always setting the tag, the default doesn't matter.
> >>>
> >>> I set the tags to contain a lot more info, is this a connection or
> >>> disconnection, is this a login or failed login, etc.
> >>>
> >>>> It turns out, on a re-reading, that the metric isn't required either -
> >>> it's
> >>>> absolutely valid to send the event {host: localhost, service:
> "openvpn",
> >>>> status: "up | down" } for example.
> >>>
> >>> ok, makes sense.
> >>>
> >>>> Given that we can't make reasonable guesses about what the user
> >> intends, I
> >>>> think the sensible approach is to _not send_ any field for which we
> >> don't
> >>> have
> >>>> a value specified, with the exception of the source host and the
> >> timestamp
> >>>> which have obviously sane defaults.
> >>>
> >>> Here I disagree, not sending anything is likely to generate support
> >>> requests of
> >>> "I configured omriemann and got a bunch of blank events, what's wrong".
> >> I'd
> >>> rather send extra data by default so that the people experimenting can
> at
> >>> least
> >>> see stuff show up. It's much easier to then tinker with what's showing
> up
> >>> than
> >>> to have to figure out what things you have to put in to get anything to
> >>> show up.
> >>>
> >>>> Other than that, I think we're in agreement. I particularly like the
> >> idea
> >>>> of allowing metric to be a json object, that definitely simplifies the
> >>>> impstats case.
> >>>>
> >>>>> how do you signal metric types?
> >>>>
> >>>> I don't - that's down to upstream collectors. Riemann doesn't care
> what
> >>> the
> >>>> metric represents, it's just a number. It has no concept of the type
> of
> >> a
> >>>> metric, it just cares about the service name and host and allows you
> to
> >> do
> >>>> interesting things with the data stream. We use Collectd at Made, and
> >> that
> >>>> sends metrics with gauge/counter/derive in the service name.
> >>>
> >>> ok, that's interesting. Every other montioring tool I've used wants it
> >>> specified
> >>> as it's passed in. In many cases, this can be configured to different
> >>> things on
> >>> different servers for the same metric.
> >>>
> >>>> There is an expectation that you would only use a single field from
> >>> metric,
> >>>> metric_f, metric_s64 etc. I've never actually tried sending more than
> >> one
> >>>> metric to riemann in a message, because clients tend to explicitly
> >> forbid
> >>>> it. Internally, all those protobuf fields map down to the same metric
> >>>> field, so I'm unsure whether riemann will reject the message or select
> >> one
> >>>> of the fields in an unspecified precedence. Deciding which of those
> >>> protobuf
> >>>> fields to send is a open problem. Any thoughts on that?
> >>>
> >>> we don't want the user to have to specify the specific type, that's too
> >>> likely
> >>> to lead to someone picking the wrong type. Everything is a string in
> >>> rsyslog to
> >>> start with, so I'd say that the metric should use the s64 if there is
> no
> >>> fractinal portion and double if there is.
> >>>
> >>>> I have no idea what we would do if some anarchist sent us the json
> >> object
> >>> {
> >>>> "metrics": { "service": "trololol", "metric_f": 0.2, "metric_int": 27
> >> }}.
> >>>> We can either reject the message and log an error, or specify some
> >>>> precedence order. I don't have a strong feeling either way; it's
> >> probably
> >>>> ok if we reformat your integer as a double, but I generally like
> >> software
> >>>> to fail fast instead of limping along doing something unexpected.
> >>>
> >>> That's one reason for not specifying them individually :-)
> >>>
> >>> But rather than the JSON looking like:
> >>>
> >>> { "metrics": { "service": "trololol", "metric_f": 0.2, "metric_int": 27
> >> }}
> >>>
> >>> I would have it be something more like:
> >>>
> >>> { "service": "trololol", "metrics": {"foo":"0.2", "bar":"27"}}
> >>>
> >>> then you would do something like
> >>>
> >>> action(type="omriemann" host="$hostname" service="$!service_"
> >> description=""
> >>> metrics="$!metrics" target="ip to riemann server" port="port of
> server")
> >>>
> >>> host could be left out and let it default to $hostname
> >>>
> >>> David Lang
> >>> _______________________________________________
> >>> rsyslog mailing list
> >>> http://lists.adiscon.net/mailman/listinfo/rsyslog
> >>> http://www.rsyslog.com/professional-services/
> >>> What's up with rsyslog? Follow https://twitter.com/rgerhards
> >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> myriad
> >> of
> >>> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T
> >>> LIKE THAT.
> >>> _______________________________________________
> >>> rsyslog mailing list
> >>> http://lists.adiscon.net/mailman/listinfo/rsyslog
> >>> http://www.rsyslog.com/professional-services/
> >>> What's up with rsyslog? Follow https://twitter.com/rgerhards
> >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> myriad
> >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> >> DON'T LIKE THAT.
> >>>
> >> _______________________________________________
> >> rsyslog mailing list
> >> http://lists.adiscon.net/mailman/listinfo/rsyslog
> >> http://www.rsyslog.com/professional-services/
> >> What's up with rsyslog? Follow https://twitter.com/rgerhards
> >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> >> DON'T LIKE THAT.
> >>
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
> >
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Reply via email to