google_bigquery

Author: Rodrigo De Castro <rdc@google.com> Date: 2013-09-20

Copyright 2013 Google Inc.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. Summary: plugin to upload log events to Google BigQuery (BQ), rolling files based on the date pattern provided as a configuration setting. Events are written to files locally and, once file is closed, this plugin uploads it to the configured BigQuery dataset.

VERY IMPORTANT: 1 - To make good use of BigQuery, your log events should be parsed and structured. Consider using grok to parse your events into fields that can be uploaded to BQ. 2 - You must configure your plugin so it gets events with the same structure, so the BigQuery schema suits them. In case you want to upload log events with different structures, you can utilize multiple configuration blocks, separating different log events with Logstash conditionals. More details on Logstash conditionals can be found here: http://logstash.net/docs/1.2.1/configuration#conditionals

For more info on Google BigQuery, please go to: https://developers.google.com/bigquery/

In order to use this plugin, a Google service account must be used. For more information, please refer to: https://developers.google.com/storage/docs/authentication#service_accounts

Recommendations: a - Experiment with the settings depending on how much log data you generate, your needs to see "fresh" data, and how much data you could lose in the event of crash. For instance, if you want to see recent data in BQ quickly, you could configure the plugin to upload data every minute or so (provided you have enough log events to justify that). Note also, that if uploads are too frequent, there is no guarantee that they will be imported in the same order, so later data may be available before earlier data. b - BigQuery charges for storage and for queries, depending on how much data it reads to perform a query. These are other aspects to consider when considering the date pattern which will be used to create new tables and also how to compose the queries when using BQ. For more info on BigQuery Pricing, please access: https://developers.google.com/bigquery/pricing

USAGE: This is an example of logstash config:

output { google_bigquery { project_id ⇒ "folkloric-guru-278" (required) dataset ⇒ "logs" (required) csv_schema ⇒ "path:STRING,status:INTEGER,score:FLOAT" (required) key_path ⇒ "/path/to/privatekey.p12" (required) key_password ⇒ "notasecret" (optional) service_account ⇒ "1234@developer.gserviceaccount.com" (required) temp_directory ⇒ "/tmp/logstash-bq" (optional) temp_file_prefix ⇒ "logstash_bq" (optional) date_pattern ⇒ "%Y-%m-%dT%H:00" (optional) flush_interval_secs ⇒ 2 (optional) uploader_interval_secs ⇒ 60 (optional) deleter_interval_secs ⇒ 60 (optional) } }

Improvements TODO list: - Refactor common code between Google BQ and GCS plugins. - Turn Google API code into a Plugin Mixin (like AwsConfig). - There’s no recover method, so if logstash/plugin crashes, files may not be uploaded to BQ.

google_bigquery {
    csv_schema => ...
    dataset => ...
    key_path => ...
    project_id => ...
    service_account => ...
}