Changing Default Elasticsearch Settings for Event Analytics
Learn about optional changes you can make to the default Elasticsearch settings for Event Analytics in Oracle Communications Unified Assurance.
Note:
If your installation uses Elasticsearch database redundancy, you must make all changes on both presentation servers. A change made on one server is not automatically copied to the other server.
Changing Elasticsearch Index Lifecycle Policies
By default, 30 days' worth of event data is stored in the Elasticsearch index for Event Analytics. You can change how long event data is stored by changing the index lifecycle policy. For example, you can save hard drive space in single server installations by storing data for less than 30 days.
On each presentation server, perform the following steps:
-
Go to the Event Analytics Management UI.
Analytics -> Events -> Administration -> Management
-
Under Data, click Index Lifecycle Policies.
-
In the list of policies, click ilm-eventanalytics.
-
In the Delete phase section, enter new values for when to delete data.
Caution:
Before increasing the length of time to keep data, consider the additional hard drive space that will be used. You can estimate the amount of space by looking at the existing indices, averaging the storage sizes, and multiplying that value by the new retention time.
-
Click Save Policy.
Discarding Incoming Records
By default, all records sent by the MySQL Replicated Data Importer are inserted into the Elasticsearch database. You can optionally discard some incoming records based on your requirements by adding a drop processor to the Elasticsearch ingest pipeline. You can add the processor using the Event Analytics Management UI or by submitting a PUT request in the Event Analytics console.
Adding a Drop Processor Using the Event Analytics Management UI
On each presentation server, perform the following steps:
-
Go to the Event Analytics Management UI.
Analytics -> Events -> Administration -> Management
-
Under Ingest, click Ingest Pipelines.
-
In the list of ingest pipelines, click eventanalytics.
The ingest pipeline details are displayed.
-
From the Manage menu, select Edit.
The page for editing the pipeline opens.
-
Under Processors, click Add a processor.
-
In the Processor field, enter Drop and press Enter.
-
In the Condition field, enter the condition by which records should be dropped.
For example, to drop all records with severity 1 (unknown), enter ctx.Severity == 1.
-
Click Add.
The processor is added to the pipeline.
-
Click Save Pipeline.
For more information about ingest pipelines and drop processors, see Ingest pipelines and Drop processor in the Elasticsearch documentation.
Adding a Drop Processor Using the Event Analytics Console
On each presentation server, perform the following steps:
-
Go to the Event Analytics console:
Analytics -> Events -> Administration -> Console
-
Enter the following request:
GET /_ingest/pipeline/eventanalytics -
Click the green triangle on the first line of the request to submit it.
The console displays the current definition of the eventanalytics ingest pipeline. By default, this is:
{ "eventanalytics" : { "description" : "Parse Assure1 events", "processors" : [ { "set" : { "value" : "{{Node}}", "field" : "Entity" } }, { "set" : { "if" : "ctx.SubNode != ''", "value" : "{{Node}}:{{SubNode}}", "field" : "Entity" } } ] } } -
Enter a PUT request to the same endpoint, adding a new drop processor to the existing processors from the GET request.
For example, to add a processor that drops all records with severity 1 (unknown):
PUT _ingest/pipeline/eventanalytics { "description": "Parse Assure1 events", "processors": [ { "set" : { "value" : "{{Node}}", "field" : "Entity" } }, { "set" : { "if" : "ctx.SubNode != ''", "value" : "{{Node}}:{{SubNode}}", "field" : "Entity" } }, { "drop": { "if": "ctx.Severity == 1" } } ] } -
Click the green triangle on the first line of the request to submit it.
The pipeline is updated with the new processor.
For more information about these requests, see Create or update pipeline API and Get pipeline API in the Elasticsearch documentation.