Ingest Node - enrich data as it gets in via pipelines

[martijnvg]

[currently open issues]

related issues from other projects:

• Beats: Elasticsearch output HTTP parameters beats#805, Merged! Hurray!
• Kibana: Tail a File Wizard kibana#5974

There are many use-cases where it is important to enrich incoming data. This enrichment may be something simple like using a regular expression to extract metadata from an existing field, or something more advanced like a geoip lookup or language identification. The filter stage of the Logstash processing pipeline provides great examples of the ways in which data is often enriched. Node ingest implements a new type of ES node, which performs this enrichment prior to indexing.

Node ingest is a pure Java implementation of the filters in logstash, integrated with Elasticsearch. It works by wrapping the bulk/index APIs, executing a pipeline that is composed of multiple processors to enrich the documents. A processor is just a component that can modify incoming documents (the source before ES turns it into a document). A pipeline is a list of processors grouped under an unique id. If node ingest is enabled then the index and bulk apis can reroute the the request with documents through a pipeline.

The ingest plugin runs on dedicated client nodes and after bulk and index requests have been enriched these index and bulk request continue their way into the cluster.

Node ingest will be a plugin in the elasticsearch project, implementing 2 main aspects:

The first is a pure Java implementation for Pipeline, Processor, as well as initial processor implementation of grok, geoip, kv/mutate, date. This java implementation can then be reused in others places, such as logstash itself, reindex API, and so on. In the first version of the ingest plugin the processor implementations can reside in the ingest plugin, but the framework and processor implementations shouldn’t rely on any ES specific code, so that later on it can be moved to an isolated library.

The second part is the integration with Elasticsearch. This includes interception of the bulk/index APIs, management APIs (stats and so on in future phase), storage and live reload of the configuration, supporting multiple "live" pipelines, and simulation of pipeline execution.

The goal of the ingest plugin is to make data enrichment easier and it will not replace logstash at all. The ingest plugin should make data enrichment in most of the cases easier when events are only stored in Elasticsearch. For example when only file beat is used to ship logs, a logstash instance will no longer be required. In cases where events are stored in multiple outputs a Logstash installation is required. Also at some point Logstash will reuse the pipeline/processor framework, so the end goal is that both Elasticsearch and Logstash will benefit from the ingest initiative.

Development happens in a feature branch: https://github.com/elastic/elasticsearch/tree/feature/ingest

Current node ingest tasks:

• Hook into the index and bulk APIs. If the ingest plugin is enabled a pipeline_id parameter is available to select what pipeline should be used to preprocess the documents before the index/bulk APIs get executed. First cleanup of the WIP commit #13941
• Manage pipeline configuration. Pipelines are stored as a document in an index. Each node ingest node will have the pipelines in memory around to be used when needed. A background process makes sure that an ingest node will eventually get the modifications. First cleanup of the WIP commit #13941
• The pipeline document enrichment shouldn't be non blocking and happen via a dedicated thread pool. Add pipeline execution service #13990
• Add first version of CRUD pipeline APIs. Add ingest CRUD APIs #14047
• Data substructure manipulation. Processors should be able to introduce new nested fields with no pre-existing parent structure. For example, It should be possible to create a new field "location.lat" without "location" existing. add ability to add nested field values to Data document #14250
• Add grok processor. [WIP] Introduce the GrokProcessor #14132
• Add geoip processor. Add geoip processor #14208
• Add date processor. add date processor #14184
• Add kv/mutate processor. Mutate Processor #14253
• Strict configuration validation Strict pipeline / processor configuration validation #14552
• geoip processor output fields should be configurable [ingest] The fields geoip adds should be configurable #14582
• Add simulate API. This allows pipelines to be tested out before actually being used. This api accepts a pipeline definition and actual documents and the output is the transformed documents and optionally showing how each document gets modified after each processor. [Ingest] Simulate Endpoint #14572
• Do not fail whole bulk request if any pipeline for a single document fails [Ingest] Ingest better bulk failure handling #14888
• Split mutate processor into separate processors for each function (e.g. update, remove, etc) Split mutate processor into one processor per function #14938
• Add support for setting nested fields in document add ability to add nested field values to Data document #14250
• Data and metadata manipulation. [Ingest] Allow document metadata to be modified via the mutate processor #14644
• Processors and factors should throw exception on the interface.
• Throw exception when grok expression does not match [Ingest] No match for grok #15132
• Add ability to provide custom patterns within Grok Processor config definition add ability to define custom grok patterns within processor config #15167
• Reduce number of fields operated on by processors to just one. [Ingest] Have processors operate one field at time. #15133
• Support for ingest transient metadata [Ingest] Support for ingest transient metadata #15036
• on failure pipeline handler [Ingest Plugin] continue_on_failure parameter #14548 / [Ingest] ingest on failure #15565 (tal)
• append processor [Ingest] Add support for array/list access in path  #14324 Add append processor #15577
• Ingest nodes should update pipelines in a sync manner Pipeline config changes should be updated to all ingest nodes in a sync manner #14998 / Add an internal refresh api that makes pipeline changes visible on all ingest nodes #15203 (mvg)
• support for templating in any processor that sets a field value [Ingest] Pipeline template usage  #14990 [Ingest] Remove meta processor and expose templates in other processors #15415 (mvg)
• Add support for ingest node boolean flag to enable/disable ingest at the node level. If a node with node.ingest set to false receives an ingest request, it should explicitly fail. (mvg) [Ingest] add node.ingest setting that controls whether ingest is active #15610
• Figure out if geoip2 library can be used without suppressing jvm access checks. (mvg) Configure jackson-databind to not suppress access checks. maxmind/GeoIP2-java#52
• Ingest forks a thread for each bulk item in a bulk request. Instead ingest should use one thread to process an entire bulk request. (mvg) [Ingest] Change ExecutionService to process multiple request at a time #15593
• Ingest should only try the load the pipelines if the .ingest index has been started. (mvg) Add an internal refresh api that makes pipeline changes visible on all ingest nodes #15203
• Cut over to a non-guice structure. We should at most bind one class to an instance directly rather thatn use the dep-injection framework that we have to un-do once we get rid of juice. Add an internal refresh api that makes pipeline changes visible on all ingest nodes #15203 (mvg)
• Change pipeline_idparam name to pipeline. rename "pipeline_id" param to "pipeline" #15618
• Add index template for the .ingest index, which should be installed by default. [Ingest] define index template for .ingest index #15001 [Ingest] Add index template for the '.ingest' index #15631
• Move ingest infrastructure to core
• Move processors with no dependencies to core
• Make grok a module as it has external deps, but it will be installed by default
• Make geoip a plugin which needs to be installed manually
• If node ingest has been disabled then it should redirect a bulk/index request that has the ingest parameter to a node that has ingest enabled.
• Add more descriptive error messages to pipeline factory exceptions (tal) [Ingest] Add more descriptive pipeline factory errors in _simulate and PUT pipeline/id #16010
• In addition to the isolated processor unit tests we should also test combination of processors. [Ingest] Also tests certain combination of processors #15247
• Benchmark ingest plugin. Benchmark the ingest plugin #14425 (mvg&tal)
• Move DedotProcessor into its own plugin move DeDotProcessor into its own plugin #16322
• Add processor tags to on_failure metadata [Ingest] Update on_failure processor metadata to include a processor's tag #16202
• Documentation before release [Ingest] Documentation needs updating #16009

possible v2 tasks:

• Make it possible to let the ingest plugin know what pipeline to use via index settings / index template.
• configuration management
• _simulate w/ verbose should show document diffs between processor results [Ingest] Change document field of _simulate with verbose=true to diff view #14698
• Composite pipelines. It would be convenient to pre-define certain pipelines that process specific things that can be re-used for other documents. For example, there may be a pipeline that processes date + geoip, and these operate on fields that are common to other documents that may require further processing.
• Add ability to show stats in _simulate response to show resource usage and execution times of pipelines/processors
• A pipeline should be able to choose what (custom) thread it uses. Some pipelines just do some simple modifications to the incoming documents while other may reach out to external systems to enrich the incoming documents. [Ingest] Dealing with ingest load #14616
• Grok discover api [Ingest] Grok discover api #15041
• Add notion of transactions for processors which mutate multiple fields within a document. This will allow on_failure processors to receive a document with a pre-failed-processor state (ref: [Ingest Plugin] continue_on_failure parameter #14548 (comment))
• Add compare processor. [Ingest] Add comparison processor for supporting conditionals in pipeline definition #14647
• Add json processor, which converts a json string into json.
• Add kv processor.

[timini]

Very interesting feature would use this

[marcelhallmann]

When will this plugin ready to use? Sounds very interesting!

Will the plugin be usabel with elastic 1.x?

[javanna]

hi @marcelhallmann we don't have a date nor a targeted version for now, but you can monitor the progress in this meta issue. We will have a first release whenever all of the needed features for the first phase are in. We are developing against master (3.x) and considering backporting to 2.x. We will not backport to 1.x though.