Splunk Databases:
We will discuss Splunk Database. This is a proprietary database.
Data is written to databases organized under home, thawed and cold database paths in a folder under the SPLUNK_HOME environment setting. The home path is thedefault path for the data to be written and is called the hot path. The sense oftemperature with the database paths is to indicate the actively used versus archivable data. Data in the cold path for example can be on cheaper storage.
These paths can be configured per index (an organizational unit that shares nothingwith others ). Each database can have several buckets of data and this isconfigurable. Buckets are time-series values with a min and a max timestamp. They hold three kinds of data. The first is a file with data extension that stores metadata such as Source/SourceType/Host metadata. The second is a TSIDX file (short for TimeSeries Index) that builds a lexicon of different words/fields extracted from the raw data and a posting of each occurrence for that word/field. They hold pointers to rawdata. Tsidx is an inverted index whose postings are stored in reverse-time order. It is optimized to execute search and return millions of events in reverse time order and interfaces with the higher layers / Lispy language. Finally, the bucket contains the rawdata. A compressed rawdata journal stores raw events in an efficient format. It contains enough information to rebuild the entire bucket.
In the bucket lifecycle, the data rolls over from the hot->warm->cold->frozen buckets.
Search is on a bucket by bucket basis. Buckets may overlap in time when searchrequests events to be returned in reverse time order. Set the cursor for each bucketto be the latest time of that bucket, read a chunk of data from bucket with latestcursor and move cursor to the latest time of unread data from the bucket.
Occassionally, streaming data can create different small time-series index files which make search inefficient. So they are consolidated into larger files with splunk-optimize command.
In addition, each database has a BucketManifest file. This file just lists the metadata for each bucket namely the id, path, raw_size, host_count, source_count,sourcetype_count, size_on_disk, modtime, frozen_in_cluster etc. Buckets are internalto the database.
The Database uses the buckets to retrieve values to satisfy a query. The values arewrapped to include metadata namely dbid, event_address, host, type, source,sourcetype, and timestamp. When filtering a query results the data has to match thetimestamp range.
Database and Bucket Partition Policy:
Policies applied to database are maintained by this class. It has a set of properties for the database and starts out with initialized values for these properties.
The properties include counts of different buckets, their allowed sizes, theiroptimization time, etc.
While the DatabaseDirectoryManager is mostly read only operations on thedatabase, the DatabasePartitionPolicy enables writes to the database bydetermining the database from the specified index in the event and updating the time range of the database with the event time, if necessary.
To keep the events sorted in time order, we could have a buffer to hold delayed and out of order events which we can sequence with a sliding window:
public static void Add(this int[] events, int seq )
{
events[events.Length + 1] = seq;
int start = events.Length - Lookahead > 1 ? events.Length - Lookahead : 1
int end = events.Length;
int min = events.Where((x,i) => i >= start && i <= end).Min();
int index = events.Where((x,i) => i >= start && i <= end).IndexOf(min);
events[start-1] = min;
for (int i = index; i < end; i++) events[i] = events[i+1];
events.RemoveAt(end);
}
We will discuss Splunk Database. This is a proprietary database.
Data is written to databases organized under home, thawed and cold database paths in a folder under the SPLUNK_HOME environment setting. The home path is thedefault path for the data to be written and is called the hot path. The sense oftemperature with the database paths is to indicate the actively used versus archivable data. Data in the cold path for example can be on cheaper storage.
These paths can be configured per index (an organizational unit that shares nothingwith others ). Each database can have several buckets of data and this isconfigurable. Buckets are time-series values with a min and a max timestamp. They hold three kinds of data. The first is a file with data extension that stores metadata such as Source/SourceType/Host metadata. The second is a TSIDX file (short for TimeSeries Index) that builds a lexicon of different words/fields extracted from the raw data and a posting of each occurrence for that word/field. They hold pointers to rawdata. Tsidx is an inverted index whose postings are stored in reverse-time order. It is optimized to execute search and return millions of events in reverse time order and interfaces with the higher layers / Lispy language. Finally, the bucket contains the rawdata. A compressed rawdata journal stores raw events in an efficient format. It contains enough information to rebuild the entire bucket.
In the bucket lifecycle, the data rolls over from the hot->warm->cold->frozen buckets.
Search is on a bucket by bucket basis. Buckets may overlap in time when searchrequests events to be returned in reverse time order. Set the cursor for each bucketto be the latest time of that bucket, read a chunk of data from bucket with latestcursor and move cursor to the latest time of unread data from the bucket.
Occassionally, streaming data can create different small time-series index files which make search inefficient. So they are consolidated into larger files with splunk-optimize command.
In addition, each database has a BucketManifest file. This file just lists the metadata for each bucket namely the id, path, raw_size, host_count, source_count,sourcetype_count, size_on_disk, modtime, frozen_in_cluster etc. Buckets are internalto the database.
The Database uses the buckets to retrieve values to satisfy a query. The values arewrapped to include metadata namely dbid, event_address, host, type, source,sourcetype, and timestamp. When filtering a query results the data has to match thetimestamp range.
Database and Bucket Partition Policy:
Policies applied to database are maintained by this class. It has a set of properties for the database and starts out with initialized values for these properties.
The properties include counts of different buckets, their allowed sizes, theiroptimization time, etc.
While the DatabaseDirectoryManager is mostly read only operations on thedatabase, the DatabasePartitionPolicy enables writes to the database bydetermining the database from the specified index in the event and updating the time range of the database with the event time, if necessary.
To keep the events sorted in time order, we could have a buffer to hold delayed and out of order events which we can sequence with a sliding window:
public static void Add(this int[] events, int seq )
{
events[events.Length + 1] = seq;
int start = events.Length - Lookahead > 1 ? events.Length - Lookahead : 1
int end = events.Length;
int min = events.Where((x,i) => i >= start && i <= end).Min();
int index = events.Where((x,i) => i >= start && i <= end).IndexOf(min);
events[start-1] = min;
for (int i = index; i < end; i++) events[i] = events[i+1];
events.RemoveAt(end);
}
No comments:
Post a Comment