Documentation

Home
AutoOps
Overview
Installation
AutoOps Installation Installation FAQs Troubleshooting
Configuration
How to Set-Up SSO Integration via SAML
Integrations
AutoOps Public API VictorOps Integration Slack Integration Pager Duty Integration Opsgenie Integration Webhook Configuration Microsoft Teams Configuration
How To’s
How to Extract Slow Logs from Elastic Cloud How to Use Ticket System How to Find Cloud Provider Instance Type How to Work With Localhost and Metricbeat
Operator
Overview Operator Architecture Operator Installation How to use the AutoOps Operator Troubleshooting
Search Gateway
Overview Search Gateway Configuration

How to Extract Slow Logs from Elastic Cloud

Summary

This article covers how to activate slow logs in Elastic Cloud and analyze the resulting logs with AutoOps Search Log Analyzer to locate the problematic query/indexing request. 

The steps are as follows:

  1. Activate log shipping
  2. Open search/indexing slow logs
  3. Download slow logs from the elastic cloud with elasticdump
  4. Convert data in JSON format to log format with jq
  5. Upload slow logs to AutoOps Slow Log Analyzer

Activate log shipping

Log in to Elastic Cloud => Logs and Metrics => Ship to a deployment => Enable => Save.

Open search/indexing slow logs

Open search slow logs

PUT *,-.*/_settings
{
  "index.search.slowlog.threshold.query.warn": "1s",
  "index.search.slowlog.threshold.fetch.warn": "1s"
}

Note: The search slow log threshold is now set to 1 second. This means that all queries longer than 1 second will be logged. You can set the threshold value according to your needs.

Open indexing slow logs

PUT *,-.*/_settings
{
  "index.indexing.slowlog.threshold.index.warn": "1s",
  "index.indexing.slowlog.source": "10000"
}

Note: The indexing slow log threshold is now set to 1 second. This means that all indexing longer than 1 second will be logged. You can set the threshold value according to your needs.

Close indexing/search slow logs

You should leave it activated for 1 hour and then disable it.

PUT *,-.*/_settings
{
  "index.search.slowlog.threshold.query.warn": null,
  "index.search.slowlog.threshold.fetch.warn": null
  "index.indexing.slowlog.threshold.index.warn": null
}

Download slow logs from Elastic Cloud with elasticdump

You can find your cluster_id and endpoint from: <cluster_name> => Elasticsearch.

The endpoint looks like this: https://discovery1.es.us-central1.gcp.cloud.es.io.

The cluster_id looks like this: bba90499b38a4f98907ae7610dd03msb.

Note: we will use only this part of the endpoint: “.es.us-central1.gcp.cloud.es.io”.

Before running the `elasticdump` command, let’s check that we have the correct URL with the `curl` command.

curl https://elastic:<password>@bba90499b38a4f98907ae7610dd03msb.es.us-central1.gcp.cloud.es.io:9243
elasticdump --input=https://elastic:<password>@<cluster_id>.<modified_endpoint>:9243/elastic-cloud-logs-* --type=data --output=slow_logs.json --headers='{"Content-Type": "application/json"}' --sourceOnly --searchBody='{"query":{"bool":{"filter":[{"terms":{"event.dataset":["elasticsearch.slowlog"]}}]}}}'

Convert data in JSON format to log format with jq.

When elasticdump finishes downloading, you should transform the .json file to a .log file. You can use the jq for this.

jq -c '{message}' slow_logs.json > slow_logs.log

Upload to Search Log Analyzer in AutoOps

After transforming your log file, please upload it to AutoOps => Search Log Analyzer. You can investigate the slow logs by yourself or turn to your customer support representative for help.