Elasticsearch
Elasticsearch is a distributed search and storage solution used forย log analytics, full-text search, security intelligence, business analytics, and operational intelligence use cases. This integration supports histogram aggregate queries that return either a single value or a single pair stored inย n9-val
ย field, any filtering or matches can be applied as long as the output follows the mentioned format.
Authenticationโ
The Nobl9 agent calls the Elasticsearch Get API | Elasticsearch documentation. To call the Elasticsearch API, you must provide a token. The token can be obtained from the Kibana control panel. All of the required steps are documented by ElasticSearch and can be found here.
Custom authorization headerโ
For the agent version equal or greater than 0.37.0
, you can set ELASTICSEARCH_CUSTOM_AUTHORIZATION_HEADER
environment variable to authenticate.
If you want to use the custom header for authentication instead of the ELASTICSEARCH_TOKEN
ย in your agent config, you must add the variable ELASTICSEARCH_CUSTOM_AUTHORIZATION_HEADER
with the appropriate value in the Kubernetes YAML or the Docker runtime. For more details, see the Deploying Elasticsearch agent.
Scope of supportโ
This integration supports the 7.9.1
version of Elasticsearch.
Adding Elasticsearch as a data sourceโ
To ensure data transmission between Nobl9 and your data source, it may be necessary to list Nobl9 IP addresses as trusted.
- 18.159.114.21
- 18.158.132.186
- 3.64.154.26
You can add the Elasticsearch data source using the agent connection method. Start with these steps:
- Navigate to Integrations > Sources.
-
Click .The Data Source wizard opens.
- Select Elasticsearch.
Elasticsearch agentโ
Agent configuration in the UIโ
Follow the instructions below to configure your Elasticsearch agent:
-
Select one of the following Release Channels:
- The
stable
channel is fully tested by the Nobl9 team. It represents the final product; however, this channel does not contain all the new features of abeta
release. Use it to avoid crashes and other limitations. - The
beta
channel is under active development. Here, you can check out new features and improvements without the risk of affecting any viable SLOs. Remember that features in this channel may be subject to change.
- The
-
Add the URL to connect to your data source.
The URL must point to the Elasticsearch app. If you are using Elastic Cloud, the URL can be obtained from here. Select your deployment, open the deployment details, and copy the Elasticsearch endpoint.
- Select a Project.
Specifying a project is helpful when multiple users are spread across multiple teams or projects. When the Project field is left blank, Nobl9 uses thedefault
project. - Enter a Display Name.
You can enter a user-friendly name with spaces in this field. - Enter a Name.
The name is mandatory and can only contain lowercase, alphanumeric characters, and dashes (for example,my-project-1
). Nobl9 duplicates the display name here, transforming it into the supported format, but you can edit the result. - Enter a Description.
Here you can add details such as who is responsible for the integration (team/owner) and the purpose of creating it. - Specify the Query delay to set a customized delay for queries when pulling the data from the data source.
- The default value in Elasticsearch integration for Query delay is
1 minute
.
infoChanging the Query delay may affect your SLI data. For more details, check the Query delay documentation. - The default value in Elasticsearch integration for Query delay is
- Click Add Data Source
Agent using CLI - YAMLโ
The YAML for setting up an agent connection to Elasticsearch looks like this:
apiVersion: n9/v1alpha
kind: Agent
metadata:
name: elasticSearch
displayName: Elastic Search Agent
project: elastic
spec:
sourceOf:
- Metrics
- Services
releaseChannel: beta
queryDelay:
unit: Minute
value: 720
elasticsearch:
url: https://observability-deployment-id.eu-central-1.aws.cloud.es.io:1234
Field | Type | Description |
---|---|---|
queryDelay.unit mandatory | enum | Specifies the unit for the query delay. Possible values: Second | Minute . โข Check query delay documentation for default unit of query delay for each source. |
queryDelay.value mandatory | numeric | Specifies the value for the query delay. โข Must be a number less than 1440 minutes (24 hours). โข Check query delay documentation for default unit of query delay for each source. |
releaseChannel mandatory | enum | Specifies the release channel. Accepted values: beta | stable . |
Source-specific fields | ||
elasticsearch.url mandatory | string | Must point to the Elasticsearch application. |
You can deploy only one agent in one YAML file by using the sloctl apply
command.
Deploying Elasticsearch agentโ
When you add the data source, Nobl9 automatically generates a Kubernetes configuration and a Docker command line for you to use to deploy the agent. Both of these are available in the web UI, under the Agent Configuration section. Be sure to swap in your credentials (e.g., replace the <ELASTICSEARCH_TOKEN>
with your organization key).
- Kubernetes
- Kubernetes - Auth Header
- Docker
If you use Kubernetes, you can apply the supplied YAML config file to a Kubernetes cluster to deploy the agent. It will look something like this:
# DISCLAIMER: This deployment description contains only the fields necessary for the purpose of this demo.
# It is not a ready-to-apply k8s deployment description, and the client_id and client_secret are only exemplary values.
apiVersion: v1
kind: Secret
metadata:
name: nobl9-agent-nobl9-dev-elasticsearch-elastic-test
namespace: default
type: Opaque
stringData:
elasticsearch_token: <ELASTICSEARCH_TOKEN>
client_id: "unique_client_id"
client_secret: "unique_client_secret"
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: nobl9-agent-nobl9-dev-elasticsearch-elastic-test
namespace: default
spec:
replicas: 1
selector:
matchLabels:
nobl9-agent-name: elastic-test
nobl9-agent-project: elasticsearch
nobl9-agent-organization: nobl9-dev
template:
metadata:
labels:
nobl9-agent-name: elastic-test
nobl9-agent-project: elasticsearch
nobl9-agent-organization: nobl9-dev
spec:
containers:
- name: agent-container
image: nobl9/agent:0.73.2
resources:
requests:
memory: "350Mi"
cpu: "0.1"
env:
- name: N9_CLIENT_ID
valueFrom:
secretKeyRef:
key: client_id
name: nobl9-agent-nobl9-dev-elasticsearch-elastic-test
- name: N9_CLIENT_SECRET
valueFrom:
secretKeyRef:
key: client_secret
name: nobl9-agent-nobl9-dev-elasticsearch-elastic-test
- name: ELASTICSEARCH_TOKEN
valueFrom:
secretKeyRef:
key: elasticsearch_token
name: nobl9-agent-nobl9-dev-elasticsearch-elastic-test
# The N9_METRICS_PORT is a variable specifying the port to which the /metrics and /health endpoints are exposed.
# The 9090 is the default value and can be changed.
# If you donโt want the metrics to be exposed, comment out or delete the N9_METRICS_PORT variable.
- name: N9_METRICS_PORT
value: "9090"
Deploying your agent in Kubernetes, you can use ELASTICSEARCH_CUSTOM_AUTHORIZATION_HEADER
for authentication (for the agent version equal or greater 0.37.0):
apiVersion: v1
kind: Secret
metadata:
name: nobl9-agent-nobl9-dev-elasticsearch-es-agent2
namespace: default
type: Opaque
stringData:
elasticsearch_custom_authorization_header: "Basic YWRtaW46YWRtaW4xMjM="
client_id: "unique_client_id"
client_secret: "unique_client_secret"
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: nobl9-agent-nobl9-dev-elasticsearch-es-agent2
namespace: default
spec:
replicas: 1
selector:
matchLabels:
nobl9-agent-name: es-agent2
nobl9-agent-project: elasticsearch
nobl9-agent-organization: nobl9-dev
template:
metadata:
labels:
nobl9-agent-name: es-agent2
nobl9-agent-project: elasticsearch
nobl9-agent-organization: nobl9-dev
spec:
containers:
- name: agent-container
image: nobl9/agent:0.73.2-elasticsearch-custom-auth
resources:
requests:
memory: "350Mi"
cpu: "0.1"
env:
- name: N9_CLIENT_ID
valueFrom:
secretKeyRef:
key: client_id
name: nobl9-agent-nobl9-dev-elasticsearch-es-agent2
- name: N9_CLIENT_SECRET
valueFrom:
secretKeyRef:
key: client_secret
name: nobl9-agent-nobl9-dev-elasticsearch-es-agent2
- name: ELASTICSEARCH_CUSTOM_AUTHORIZATION_HEADER
valueFrom:
secretKeyRef:
key: elasticsearch_custom_authorization_header
name: nobl9-agent-nobl9-dev-elasticsearch-es-agent2
# The N9_METRICS_PORT is a variable specifying the port to which the /metrics and /health endpoints are exposed.
# The 9090 is the default value and can be changed.
# If you donโt want the metrics to be exposed, comment out or delete the N9_METRICS_PORT variable.
- name: N9_METRICS_PORT
value: "9090"
If you use Docker, you can run the Docker command to deploy the agent. It will look something like this:
# DISCLAIMER: This docker command description is containing only the necessary fields for the purpose of this demo.
# It is not a ready-to-apply docker command.
docker run -d --restart on-failure \
--name nobl9-agent-nobl9-dev-elasticsearch-elastic-test \
-e N9_CLIENT_ID="unique_client_id" \
-e N9_CLIENT_SECRET="unique_client_secret" \
# The N9_METRICS_PORT is a variable specifying the port to which the /metrics and /health endpoints are exposed.
# The 9090 is the default value and can be changed.
# If you donโt want the metrics to be exposed, comment out or delete the N9_METRICS_PORT variable.
-e N9_METRICS_PORT=9090 \
-e ELASTICSEARCH_TOKEN="<ELASTICSEARCH_TOKEN>"\
nobl9/agent:0.73.2