Elasticsearch

Reading time: 0 minute(s) (0 words)

Elasticsearch is a distributed search and storage solution used for log analytics, full-text search, security intelligence, business analytics, and operational intelligence use cases. This integration supports histogram aggregate queries that return either a single value or a single pair stored in n9-val field, any filtering or matches can be applied as long as the output follows the mentioned format.

Elasticsearch parameters and supported features in Nobl9

General support:: Release channel: Stable, Beta; Connection method: Agent; Replay and SLI Analyzer: Historical data limit 30 days. Replay only; Event logs: Not supported; Query checker: Not supported; Query parameters retrieval: Supported; Timestamp cache persistence: Supported
Query parameters:: Query interval: 1 min; Query delay: 1 min; Jitter: 15 sec; Timeout: 30 sec
Agent details and minimum required versions for supported features:: Plugin name: n9elasticsearch; Query delay environment variable: ES_QUERY_DELAY, ELASTICSEARCH_CUSTOM_AUTHORIZATION_HEADER, N9_ELASTIC_SEARCH_MAX_BUCKETS; Replay and SLI Analyzer: 0.85.0-beta; Query parameters retrieval: 0.73.2; Timestamp cache persistence: 0.65.0
Additional notes:: Support for Elasticsearch v7.9.1; Support for AWS OpenSearch with agent v0.89.0-beta

Authentication

The Nobl9 agent calls the Elasticsearch Get API. For this, an authorization token is required. The token can be obtained from the Kibana control panel.

Learn about API keys in Elasticsearch.

Alternatively, you can provide a custom authorization header when deploying your Elasticsearch agent.

Adding Elasticsearch as a data source

To ensure data transmission between Nobl9 and Elasticsearch, it may be necessary to list Nobl9 IP addresses as trusted.

💻ip allowlist

IP addresses to include in your allowlist for secure access:

If you're using app.nobl9.com instance:

18.159.114.21
18.158.132.186
3.64.154.26

If you're using us1.nobl9.com instance:

34.121.54.120
34.123.193.191
34.134.71.10
35.192.105.150
35.225.248.37
35.226.78.175
104.198.44.161

You can add the Elasticsearch data source using the agent connection method.

Nobl9 Web

Follow the instructions below to configure your Elasticsearch agent:

Navigate to Integrations > Sources.
Click .
Click the required Source button.
Choose Agent.

Select one of the following Release Channels:
- The stable channel is fully tested by the Nobl9 team. It represents the final product; however, this channel does not contain all the new features of a beta release. Use it to avoid crashes and other limitations.
- The beta channel is under active development. Here, you can check out new features and improvements without the risk of affecting any viable SLOs. Remember that features in this channel can change.
Add the URL to connect to your data source.
The URL must point to the Elasticsearch app. If you are using Elastic Cloud, the URL can be obtained from here. Select your deployment, open the deployment details, and copy the Elasticsearch endpoint.

Select a Project.
Specifying a project is helpful when multiple users are spread across multiple teams or projects. When the Project field is left blank, Nobl9 uses the default project.
Enter a Display Name.
You can enter a user-friendly name with spaces in this field.
Enter a Name.
The name is mandatory and can only contain lowercase, alphanumeric characters, and dashes (for example, my-project-1). Nobl9 duplicates the display name here, transforming it into the supported format, but you can edit the result.
Enter a Description.
Here you can add details such as who is responsible for the integration (team/owner) and the purpose of creating it.
Specify the Query delay to set a customized delay for queries when pulling the data from the data source.
- The default value in Elasticsearch integration for Query delay is 1 minute.
info
Changing the Query delay may affect your SLI data. For more details, check the Query delay documentation.
Enter a Maximum Period for Historical Data Retrieval.
- This value defines how far back in the past your data will be retrieved when replaying your SLO based on this data source.
- The maximum period value depends on the data source.
  Find the maximum value for your data source.
- A greater period can extend the loading time when creating an SLO.
Enter a Default Period for Historical Data Retrieval.
- It is used by SLOs connected to this data source.
- The value must be a positive integer or 0.
- By default, this value is set to 0. When you set it to >0, you will create SLOs with Replay.
Click Add Data Source.

Deploy your agent in a Kubernetes cluster or Docker container.

sloctl

Create a YAML definition to set up an agent connection with Elasticsearch. For this, refer to the following example:

Sample YAML configuration for adding Elasticsearch with the agent connection method
apiVersion: n9/v1alpha
kind: Agent
metadata:
  name: elasticsearch
  displayName: Elasticsearch Agent
  project: default
spec:
  description: Example Elasticsearch Agent
  releaseChannel: beta
  elasticsearch:
    url: http://elasticsearch-main.elasticsearch:9200
  historicalDataRetrieval:
    maxDuration:
      value: 30
      unit: Day
    defaultDuration:
      value: 15
      unit: Day
  queryDelay:
    value: 2
    unit: Minute

Field	Type	Description
`queryDelay.unit` mandatory	enum	Specifies the unit for the query delay. Possible values: `Second` \| `Minute`. • Check query delay documentation for default unit of query delay for each source.
`queryDelay.value` mandatory	numeric	Specifies the value for the query delay. • Must be a number less than 1440 minutes (24 hours). • Check query delay documentation for default unit of query delay for each source.
`releaseChannel` mandatory	enum	Specifies the release channel. Accepted values: `beta` \| `stable`.
Source-specific fields
`elasticsearch.url` mandatory	string	Must point to the Elasticsearch application.
Replay-related fields
`historicalDataRetrieval` optional	n/a	Optional structure related to configuration related to Replay. ❗ Use only with supported sources. • If omitted, Nobl9 uses the default values of `value: 0` and `unit: Day` for `maxDuration` and `defaultDuration`.
`maxDuration.value` optional	numeric	Specifies the maximum duration for historical data retrieval. Must be integer `≥ 0`. See Replay documentation for values of max duration per data source.
`maxDuration.unit` optional	enum	Specifies the unit for the maximum duration of historical data retrieval. Accepted values: `Minute` \| `Hour` \| `Day`.
`defaultDuration.value` optional	numeric	Specifies the default duration for historical data retrieval. Must be integer `≥ 0` and `≤` `maxDuration`.
`defaultDuration.unit` optional	enum	Specifies the unit for the default duration of historical data retrieval. Accepted values: `Minute` \| `Hour` \| `Day`.

Apply your YAML definition using the sloctl apply command.
Deploy your agent in a Kubernetes cluster or Docker container.

Deployment notes

As an alternative to the authentication token, you can provide a custom authorization header with the ELASTICSEARCH_CUSTOM_AUTHORIZATION_HEADER environment variable when deploying your Elasticsearch agent.
You can also set the AWS_REGION environment variable when you need to establish connection between your Elasticsearch Nobl9 agent1 and Amazon OpenSearch Service.
- Enter your required region as the value of AWS_REGION.
  With it, your Elasticsearch agent is connected to Amazon OpenSearch Service using the default system role.
- To connect with any other role, pass it with the N9_OPENSEARCH_AWS_ROLE_ARN variable.