Amazon OpenSearch Ingestion is a completely managed, serverless information pipeline that simplifies the method of ingesting information into Amazon OpenSearch Service and OpenSearch Serverless collections. Some key ideas embody:
- Supply – Enter part that specifies how the pipeline ingests the info. Every pipeline has a single supply which may be both push-based and pull-based.
- Processors – Intermediate processing models that may filter, rework, and enrich data earlier than supply.
- Sink – Output part that specifies the vacation spot(s) to which the pipeline publishes information. It may publish data to a number of locations.
- Buffer – It’s the layer between the supply and the sink. It serves as non permanent storage for occasions, decoupling the supply from the downstream processors and sinks. Amazon OpenSearch Ingestion additionally presents a persistent buffer choice for push-based sources
- Lifeless-letter queues (DLQs) – Configures Amazon Easy Storage Service (Amazon S3) to seize data that fail to jot down to the sink, enabling error dealing with and troubleshooting.
This end-to-end information ingestion service may help you accumulate, course of, and ship information to your OpenSearch environments with out the necessity to handle underlying infrastructure.
This put up gives an in-depth have a look at organising Amazon CloudWatch alarms for OpenSearch Ingestion pipelines. It goes past our really helpful alarms to assist establish bottlenecks within the pipeline, whether or not that’s within the sink, the OpenSearch clusters information is being despatched to, the processors, or the pipeline not pulling or accepting sufficient from the supply. This put up will enable you to proactively monitor and troubleshoot your OpenSearch Ingestion pipelines.
Overview
Monitoring your OpenSearch Ingestion pipelines is essential for catching and addressing points early. By understanding the important thing metrics and organising the best alarms, you may proactively handle the well being and efficiency of your information ingestion workflows. Within the following sections, we offer particulars about alarm metrics for various sources, displays, and sinks. The precise values for the edge, interval, and datapoints to alarm used for alarms can fluctuate primarily based on the person use case and necessities.
Stipulations
To create an OpenSearch Ingestion pipeline, consult with Creating Amazon OpenSearch Ingestion pipelines. For creating CloudWatch alarms, consult with Create a CloudWatch alarm primarily based on a static threshold.
You may allow logging for OpenSearch Ingestion Pipeline, which captures numerous log messages throughout pipeline operations and ingestion exercise, together with errors, warnings, and informational messages. For particulars on enabling and monitoring pipeline logs, consult with Monitoring pipeline logs
Sources
The entry level of your pipeline is usually the place monitoring ought to start. By setting applicable alarms for supply elements, you may shortly establish ingestion bottlenecks or connection points. The next desk summarizes key alarm metrics for various sources.
| Supply | Alarm | Description | Advisable Motion |
| HTTP/ OpenTelemetry | requestsTooLarge.dependThreshold: >0 Statistic: SUM Interval: 5 minutes Datapoints to alarm: 1 out 1 |
The request payload dimension of the consumer (information producer) is larger than the utmost request payload dimension, ensuing within the standing code HTTP 413. The default most request payload dimension is 10 MB for HTTP sources and 4 MB for OpenTelemetry sources. The restrict for the HTTP sources may be elevated for the pipelines with persistent buffer enabled. | The chunk dimension for the consumer may be diminished in order that the request payload doesn’t exceed the utmost dimension. You may study the distribution of payload sizes of incoming requests utilizing the payloadSize.sum metric. |
| HTTP | requestsRejected.dependThreshold: >0 Statistic: SUM Interval: 5 minutes Datapoints to alarm: 1 out 1 |
The request was despatched to the HTTP endpoint of the OpenSearch Ingestion pipeline by the consumer (information producer), however the request wasn’t accepted by the pipeline, and it rejected the request with the standing code 429 within the response. | For persistent points, take into account growing the minimal OCUs for the pipeline to allocate extra sources for request processing. |
| Amazon S3 | s3ObjectsFailed.dependThreshold: >0 Statistic: SUM Interval: 5 minutes Datapoints to alarm: 1 out 1 |
The pipeline is unable to learn some objects from the Amazon S3 supply. | Consult with REF-003 in Reference Information beneath. |
| Amazon DynamoDB | Distinction for totalOpenShards.max - activeShardsInProcessing.worthThreshold: >0 Statistic: Most (totalOpenShards.max) and Sum (activeShardsInProcessing.worth) Datapoints to Alarm: 3 out of three.Further Observe: refer REF-004 for extra particulars on configuring this particular alarm. |
It displays alignment between complete open shards that ought to be processed by the pipeline and energetic shards at present in processing. The activeShardsInProcessing.worth will go down periodically as shards shut however ought to by no means misalign from ‘totalOpenShards.max’ for longer than a few minutes. |
If the alarm is triggered, you may take into account stopping and beginning the pipeline, this selection resets the pipeline’s state, and the pipeline will restart with a brand new full export. It’s non-destructive, so it does not delete your index or any information in DynamoDB. When you don’t create a recent index earlier than you do that, you may see a excessive variety of errors from model conflicts as a result of the export tries to insert older paperwork than the present _version within the index. You may safely ignore these errors. For root trigger evaluation on the misalignment, you may attain out to AWS Help |
| Amazon DynamoDB | dynamodb.changeEventsProcessingErrors.dependThreshold: >0 Statistic: SUM Interval: 5 minutes Datapoints to alarm: 1 out 1 |
The variety of processing errors for change occasions for a pipeline with stream processing for DynamoDB. | If the metrics report growing values, consult with REF-002 in Reference Information beneath |
| Amazon DocumentDB | documentdb.exportJobFailure.dependThreshold: >0 Statistic: SUM Interval: 5 minutes Datapoints to alarm: 1 out 1 |
The try to set off an export to Amazon S3 failed. | Assessment ERROR-level logs within the pipeline logs for entries starting with “Obtained an exception throughout export from DocumentDB, backing off and retrying.” These logs comprise the whole exception particulars indicating the basis explanation for the failure. |
| Amazon DocumentDB | documentdb.changeEventsProcessingErrors.dependThreshold: >0 Statistic: SUM Interval: 5 minutes Datapoints to alarm: 1 out 1 |
The variety of processing errors for change occasions for a pipeline with stream processing for Amazon DocumentDB. | Consult with REF-002 in Reference Information beneath |
| Kafka | kafka.numberOfDeserializationErrors.dependThreshold: >0 Statistic: SUM Interval: 5 minutes Datapoints to alarm: 1 out 1 |
The OpenSearch Ingestion pipeline encountered deserialization errors whereas consuming a file from Kafka. | Assessment WARN-level logs within the pipeline logs and confirm serde_format is configured accurately within the pipeline configuration and the pipeline position has entry to the AWS Glue Schema Registry (if used). |
| OpenSearch | opensearch.processingErrors.dependThreshold: >0 Statistic: SUM Interval: 5 minutes Datapoints to alarm: 1 out 1 |
Processing errors have been encountered whereas studying from the index. Ideally, the OpenSearch Ingestion pipeline would retry mechanically, however for unknown exceptions, it would skip processing. | Consult with REF-001 or REF-002 in Reference Information beneath, to get the exception particulars that resulted in processing errors. |
| Amazon Kinesis Knowledge Streams | kinesis_data_streams.recordProcessingErrors.dependThreshold: >0 Statistic: SUM Interval: 5 minutes Datapoints to alarm: 1 out 1 |
The OpenSearch Ingestion pipeline encountered an error whereas processing the data. | If the metrics report growing values, consult with REF-002 in Reference Information beneath, which may help in figuring out the trigger. |
| Amazon Kinesis Knowledge Streams | kinesis_data_streams.acknowledgementSetFailures.dependThreshold: >0 Statistic: SUM Interval: 5 minutes Datapoints to alarm: 1 out 1 |
The pipeline encountered a unfavorable acknowledgment whereas processing the streams, inflicting it to reprocess the stream. | Consult with REF-001 or REF-002 in Reference Information beneath. |
| Confluence | confluence.searchRequestsFailed.dependThreshold: >0 Statistic: SUM Interval: 5 minutes Datapoints to alarm: 1 out 1 |
Whereas making an attempt to fetch the content material, the pipeline encountered the exception. | Assessment ERROR-level logs within the pipeline logs for entries starting with “Error whereas fetching content material.” These logs comprise the whole exception particulars indicating the basis explanation for the failure. |
| Confluence | confluence.authFailures.dependThreshold: >0 Statistic: SUM Interval: 5 minutes Datapoints to alarm: 1 out 1 |
The variety of UNAUTHORIZED exceptions acquired whereas establishing the connection | Though the service ought to mechanically renew tokens, if the metrics present an growing worth, overview ERROR-level logs within the pipeline logs to establish why the token refresh is failing. |
| Jira | jira.ticketRequestsFailed.dependThreshold: >0 Statistic: SUM Interval: 5 minutes Datapoints to alarm: 1 out 1 |
Whereas making an attempt to fetch the problem, the pipeline encountered an exception. | Assessment ERROR-level logs within the pipeline logs for entries starting with “Error whereas fetching challenge.” These logs comprise the whole exception particulars indicating the basis explanation for the failure. |
| Jira | jira.authFailures.dependThreshold: >0 Statistic: SUM Interval: 5 minutes Datapoints to alarm: 1 out 1 |
The variety of UNAUTHORIZED exceptions acquired whereas establishing the connection. | Though the service ought to mechanically renew tokens, if the metrics present an growing worth, overview ERROR-level logs within the pipeline logs to establish why the token refresh is failing. |
Processors
The next desk gives particulars about alarm metrics for various processors.
| Processor | Alarm | Description | Advisable Motion |
| AWS Lambda | aws_lambda_processor.recordsFailedToSentLambda.dependThreshold: >0 Statistic: SUM Interval: 5 minutes Datapoints to alarm: 1 out 1 |
Among the data couldn’t be despatched to Lambda. | Within the case of excessive values for this metric, consult with REF-002 in Reference Information beneath. |
| AWS Lambda | aws_lambda_processor.numberOfRequestsFailed.dependThreshold: >0 Statistic: SUM Interval: 5 minutes Datapoints to alarm: 1 out 1 |
The pipeline was unable to invoke the Lambda operate. | Though this example shouldn’t happen below regular situations, if it does, overview Lambda logs and consult with REF-002 in Reference Information beneath. |
| AWS Lambda | aws_lambda_processor.requestPayloadSize.maxThreshold: >= 6292536 Statistic: MAXIMUM Interval: 5 minutes Datapoints to alarm: 1 out 1 |
The payload dimension is exceeding the 6 MB restrict, so the Lambda operate can’t be invoked. | Contemplate revisiting the batching thresholds within the pipeline configuration for the aws_lambda processor. |
| Grok | grok.grokProcessingMismatch.dependThreshold: >0 Statistic: SUM Interval: 5 minutes Datapoints to alarm: 1 out 1 |
The incoming information doesn’t match the Grok sample outlined within the pipeline configuration. | Within the case of excessive values for this metric, overview the Grok processor configurations and ensure the outlined sample matches in response to the incoming information. |
| Grok | grok.grokProcessingErrors.dependThreshold: >0 Statistic: SUM Interval: 5 minutes Datapoints to alarm: 1 out 1 |
The pipeline encountered an exception when extracting the knowledge from the incoming information in response to the outlined Grok sample. | Within the case of excessive values for this metric, consult with REF-002 in Reference Information beneath. |
| Grok | grok.grokProcessingTime.maxThreshold: >= 1000 Statistic: MAXIMUM Interval: 5 minutes Datapoints to alarm: 1 out 1 |
The utmost period of time that every particular person file takes to match in opposition to patterns from the match configuration choice. | If the time taken is the same as or greater than 1 second, examine the incoming information and the Grok sample. The utmost period of time throughout which matching happens is 30,000 milliseconds, which is managed by the timeout_millis parameter. |
Sinks and DLQs
The next desk comprises particulars about alarm metrics for various sinks and DLQs.
| Sink | Alarm | Description | Advisable Motion |
| OpenSearch | opensearch.bulkRequestErrors.dependThreshold: >0 Statistic: SUM Interval: 5 minutes Datapoints to alarm: 1 out 1 |
The variety of errors encountered whereas sending a bulk request. | Consult with REF-002 in Reference Information beneath which may help to establish the exception particulars. |
| OpenSearch | opensearch.bulkRequestFailed.dependThreshold: >0 Statistic: SUM Interval: 5 minutes Datapoints to alarm: 1 out 1 |
The variety of errors acquired after sending the majority request to the OpenSearch area. | Consult with REF-001 in Reference Information beneath which may help to establish the exception particulars. |
| Amazon S3 | s3.s3SinkObjectsFailed.dependThreshold: >0 Statistic: SUM Interval: 5 minutes Datapoints to alarm: 1 out 1 |
The OpenSearch Ingestion pipeline encountered a failure whereas writing the article to Amazon S3. | Confirm that the pipeline position has the mandatory permissions to jot down objects to the required S3 key. Assessment the pipeline logs to establish the particular keys the place failures occurred. Monitor the s3.s3SinkObjectsEventsFailed.depend metric for granular particulars on the variety of failed write operations. |
| Amazon S3 DLQ | s3.dlqS3RecordsFailed.dependThreshold: >0 Statistic: SUM Interval: 5 minutes Datapoints to alarm: 1 out 1 |
For a pipeline with DLQ enabled, the data are both despatched to the sink or to the DLQ (if they’re unable to ship to the sink). This alarm signifies the pipeline was unable to ship the data to the DLQ attributable to some error. | Consult with REF-002 in Reference Information beneath which may help to establish the exception particulars. |
Buffer
The next desk comprises particulars about alarm metrics for buffers.
| Buffer | Alarm | Description | Advisable Motion |
| BlockingBuffer | BlockingBuffer.bufferUsage.worthThreshold: >80 Statistic: AVERAGE Interval: 5 minutes Datapoints to alarm: 1 out 1 |
The p.c utilization, primarily based on the variety of data within the buffer. | To research additional, examine if the Pipeline is bottlenecked attributable to processors or sink by evaluating timeElapsed.max metrics and analyzing bulkRequestLatency.max |
| Persistent | persistentBufferRead.recordsLagMax.worthThreshold: > 5000 Statistic: AVERAGE Interval: 5 minutes Datapoints to alarm: 1 out 1 |
The utmost lag by way of variety of data saved within the persistent buffer. | If the worth for bufferUsage is low, improve the utmost OCUs. If bufferUsage can also be excessive [>80], examine if pipeline is bottlenecked by processors or sink. |
Reference Information
The next present steering for resolving frequent pipeline points together with common reference.
REF-001: WARN-level Log Assessment
Assessment WARN-level logs within the pipeline logs to establish the exception particulars.
REF-002: ERROR-level Log Assessment
Assessment ERROR-level logs within the pipeline logs to establish the exception particulars.
REF-003: S3 Objects Failed
When troubleshooting growing s3ObjectsFailed.depend values, monitor these particular metrics to slender down the basis trigger:
s3ObjectsAccessDenied.depend– This metric increments when the pipeline encounters Entry Denied or Forbidden errors whereas studying S3 objects. Frequent causes embody:- Inadequate permissions within the pipeline position.
- Restrictive S3 bucket coverage not permitting the pipeline position entry.
- For cross-account S3 buckets, incorrectly configured bucket_owners mapping.
s3ObjectsNotFound.depend– This metric increments when the pipeline receives Not Discovered errors whereas trying to learn S3 objects.
For additional help with the really helpful actions, contact AWS assist.
REF-004: Configuring Alarm for distinction in totalOpenShards.max and activeShardsInProcessing.worth for Amazon DynamoDB supply.
- Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/.
- Within the navigation pane, select Alarms, All alarms.
- Select Create alarm.
- Select Choose Metric.
- Choose Supply.
- In supply, following JSON can be utilized after updating the
, and .
Let’s overview couple of situations primarily based on the above metrics.
State of affairs 1 – Perceive and Decrease Pipeline Latency
Latency inside a pipeline is constructed up of three important elements:
- The time it takes to ship paperwork through bulk requests to OpenSearch,
- the time it takes for information to undergo the pipeline processors, and
- the time that information sits within the pipeline buffer
Bulk requests and processors (final two gadgets within the earlier listing) are the basis causes for why the buffer builds up and results in latency.
To observe how a lot information is being saved within the buffer, monitor the bufferUsage.worth metric. The one strategy to decrease latency throughout the buffer is to optimize the pipeline processors and sink bulk request latency, relying on which of these is the bottleneck.
The bulkRequestLatency metric measures the time taken to execute bulk requests, together with retries, and can be utilized to watch write efficiency to the OpenSearch sink. If this metric reviews an unusually excessive worth, it signifies that the OpenSearch sink could also be overloaded, inflicting elevated processing time. To troubleshoot additional, overview the bulkRequestNumberOfRetries.depend metric to substantiate whether or not the excessive latency is because of rejections from OpenSearch which can be resulting in retries, equivalent to throttling (429 errors) or different causes. If doc errors are current, study the configured DLQ to establish the failed doc particulars. Moreover, the max_retries parameter may be configured within the pipeline configuration to restrict the variety of retries. Nevertheless, if the documentErrors metric reviews zero, the bulkRequestNumberOfRetries.depend can also be zero, and the bulkRequestLatency stays excessive, it’s doubtless an indicator that the OpenSearch sink is overloaded. On this case, overview the vacation spot metrics for extra particulars.
If the bulkRequestLatency metric is low (for instance, lower than 1.5 seconds) and the bulkRequestNumberOfRetries metric is reported as 0, then the bottleneck is probably going throughout the pipeline processors. To observe the efficiency of the processors, overview the timeElapsed, it might be attributable to a gradual grok sample that may be optimized and even changed with a extra performant processor, relying on the use case.
State of affairs 2 – Understanding and Resolving Doc Errors to OpenSearch
The documentErrors.depend metric tracks the variety of paperwork that did not be despatched by bulk requests. The failure can occur attributable to numerous causes equivalent to mapping conflicts, invalid information codecs, or schema mismatches. When this metric reviews a non-zero worth, it signifies that some paperwork are being rejected by OpenSearch. To establish the basis trigger, study the configured Lifeless Letter Queue (DLQ), which captures the failed paperwork together with error particulars. The DLQ gives details about why particular paperwork failed, enabling you to establish patterns equivalent to incorrect subject varieties, lacking required fields, or information that exceeds dimension limits. For instance, discover the pattern DLQ objects for frequent points beneath:
Mapper parsing exception:
Right here, OpenSearch can’t retailer the textual content string “N/A” in a subject that’s just for numbers, so it rejects the doc and shops it within the DLQ.
Restrict of complete fields exceeded:
The index.mapping.total_fields.restrict setting is the parameter that controls the utmost variety of fields allowed in an index mapping, and exceeding this restrict will trigger indexing operations to fail. You may examine if all these fields are required or leverage numerous processors supplied by OpenSearch Ingestion to rework the info.
As soon as these points are recognized, you may both appropriate the supply information, alter the pipeline configuration to rework the info appropriately, or modify the OpenSearch index mapping to accommodate the incoming information format.
Clear up
When organising alarms for monitoring your OpenSearch Ingestion pipelines, it’s essential to be aware of the potential prices concerned. Every alarm you configure will incur costs primarily based on the CloudWatch pricing mannequin.
To keep away from pointless bills, we suggest rigorously evaluating your alarm necessities and configuring them accordingly. Solely arrange the alarms which can be important in your use case, and recurrently overview your alarm configurations to establish and take away unused or redundant alarms.
Conclusion
On this put up, we explored the excellent monitoring capabilities for OpenSearch Ingestion pipelines via CloudWatch alarms, overlaying key metrics throughout numerous sources, processors, and sinks. Though this put up highlights essentially the most important metrics, there’s extra to find. For a deeper dive, consult with the next sources:
Efficient monitoring via CloudWatch alarms is essential for sustaining wholesome ingestion pipelines and sustaining optimum information movement.
Concerning the authors
