Jad Naous The current crop of logging solutions out there is great for unstructured search. However, these solutions fall flat when it comes to analytics on potentially hundreds of columns with potentially high cardinality. This makes it particularly problematic to analyze logs such as HTTP access logs which may contain millions of IP addresses or paths and billions of url paths.
At this point users often reach out for systems like Druid. In this blog, I’ll show you how to connect Logstash, a tool for collecting logs typically used as part of the ELK (Elasticsearch + Logstash + Kibana) stack, to push data to Imply Polaris, our Database-as-a-service offering powered by Druid. As part of the solution, we’ll also be using Polaris’s built-in analytics capabilities, instead of Kibana for visualizations and analysis.
Logstash, the L in ELK, is a tool that helps aggregate logs, parse them, and push them to a sink. You can think of it as running one or more processing pipelines where events come in on one end, and structured events get sent out of the other. For the purposes of this tutorial, let’s set up an Apache HTTP server with Logstash configured to read access logs and forward them to Polaris. In a production setup, you’re more likely to use Filebeat and connect it to a more centralized Logstash server that parses and forwards events to Polaris.
We’ll be using Logstash’s file input plugin and HTTP output plugin to read the access logs and push them to Imply.
If you haven’t already done so, sign up for a Polaris account at https://imply.io/polaris-signup and log in. You can proceed with the other pieces of this tutorial while your environment is spinning up and come back here when ready.
Now that you’ve logged in, create an “API client” to identify your application with Polaris. Polaris uses OAuth2 to authenticate API calls. Simply navigate to the User management console and then click API Clients:
There, create a client. Because Logstash’s HTTP endpoint doesn’t support OAuth out of the box, we’re going to create a long-lived access token that will be used in this example. Set the Access Token Lifespan to the duration for this tutorial, say 1 day. Go to the Tokens tab and download the token. Open the downloaded JSON file, and get the token. You’ll need this token later for your Logstash configuration.
Be careful with this access token. Anyone in possession of that token can execute any APIs as you. A better approach is to create a user with more limited access (a more targeted set of permissions) that can only send data. An even better approach is to write some code using Logstash’s Ruby filter plugin to acquire an access token as needed, but that’s beyond the scope of this blog. See the Polaris Developer guide for more details.
Next, in the Data section in the left navigation, click Tables > Create table. Give your table a name. I called mine “accesslogs”.
host_name as string to store the name of the host where the log message is readhttp_version as string to store the HTTP version on the requesthttp_request_referrer as string to store the referrer, if presenthttp_request_method as string to store the verb used on the request, ie POST, GET, etcurl as string to store the request urlsource_address as string to store the client addressuser_agent as string to store the User-Agent header if presenthttp_response_status_code as string to store the status code. I chose string as type because Druid does not index numeric fields (yet!)http_response_body_bytes as long to store the size of the response bodyAfter you save the schema, the UI displays the API endpoint where you can push individual events. Copy that endpoint URL and save it! You’ll use it later to push logs to the table.
If you don’t already have a working web server with logs you’d like to use, you can follow this section to get a server working on Ubuntu. For this tutorial, I installed Ubuntu 20.04.4 LTS into a VM. Then I installed the Apache server using:
$ sudo apt install apache2
$ sudo systemctl start apache2If you already have a working server, you might just want to use the access logs from that server. This tutorial will use the default access log path on Ubuntu at /var/log/apache2/access.log.
You can download Logstash from https://elastic.co/downloads/logstash or you can use the following command:
$ wget https://artifacts.elastic.co/downloads/logstash/logstash-8.1.1-linux-x86_64.tar.gzUntar the package:
$ tar -zxf logstash-8.1.1-linux-x86_64.tar.gzAnd now the good stuff.
Navigate to the logstash-8.1.1 directory
Create a file called my-polaris-pipeline.conf inside the config directory with the content below. Replace the <events_endpoint> and <access_token> placeholders with the URL of your table’s endpoint and your access token respectively:
From the logstash directory, start Logstash as follows:
$ bin/logstash -f config/my-polaris-pipeline.conf --config.reload.automaticNavigate to your Polaris environment and open your table detail to see your log data flowing!
Use cURL to run HTTP requests to generate some Apache access log entries. For example:
$curl http://localhostLet’s create a data cube with Polaris to visualize our data:
Now you can access your new data cube to explore your data:
This blog won’t go into too much detail about visualizations. For that, I recommend reading through the documentation for Pivot, the Imply Enterprise data visualization tool. For now, let’s try a couple of things.
First, let’s break down the records by status code. Drag and drop “Http Response Status Code” from the left panel under Dimensions to the Show bar:
Interesting. I didn’t even try to generate a 408 response. I wonder what that is. Click on the 408 response and select Filter:
Now let’s view that record directly. Click the visualization selector, currently Table on the top right, and choose the Record view:
Cool! You can now use Polaris’s built-in analytics capabilities to slice and dice the Logstash data and build dashboards.
In this blog I’ve shown you how to do a basic configuration of Logstash to parse Apache HTTP Server access logs, push them to Polaris, and then analyze them with Pivot.
Learn more at https://docs.imply.io/polaris. Start your free trial at https://imply.io/polaris-signup.
Migrate Analytics Data from MongoDB to Apache Druid
This blog presents a concise guide on migrating data from MongoDB to Druid. It includes Python scripts to extract data from MongoDB, save it as CSV, and then ingest it into Druid. It also touches on maintaining...
Learn MoreHow Druid Facilitates Real-Time Analytics for Mass Transit
Mass transit plays a key role in reimagining life in a warmer, more densely populated world. Learn how Apache Druid helps power data and analytics for mass transit.
Learn MoreMigrate Analytics Data from Snowflake to Apache Druid
This blog outlines the steps needed to migrate data from Snowflake to Apache Druid, a platform designed for high-performance analytical queries. The article covers the migration process, including Python scripts...
Learn MoreApache Kafka, Flink, and Druid: Open Source Essentials for Real-Time Applications
Apache Kafka, Flink, and Druid, when used together, create a real-time data architecture that eliminates all these wait states. In this blog post, we’ll explore how the combination of these tools enables...
Learn MoreVisualizing Data in Apache Druid with the Plotly Python Library
In today's data-driven world, making sense of vast datasets can be a daunting task. Visualizing this data can transform complicated patterns into actionable insights. This blog delves into the utilization of...
Learn MoreBringing Real-Time Data to Solar Power with Apache Druid
In a rapidly warming world, solar power is critical for decarbonization. Learn how Apache Druid empowers a solar equipment manufacturer to provide real-time data to users, from utility plant operators to homeowners
Learn MoreWhen to Build (Versus Buy) an Observability Application
Observability is the key to software reliability. Here’s how to decide whether to build or buy your own solution—and why Apache Druid is a popular database for real-time observability
Learn MoreHow Innowatts Simplifies Utility Management with Apache Druid
Data is a key driver of progress and innovation in all aspects of our society and economy. By bringing digital data to physical hardware, the Internet of Things (IoT) bridges the gap between the online and...
Learn MoreThree Ways to Use Apache Druid for Machine Learning Workflows
An excellent addition to any machine learning environment, Apache Druid® can facilitate analytics, streamline monitoring, and add real-time data to operations and training
Learn MoreIntroducing Apache Druid 27.0.0
Apache Druid® is an open-source distributed database designed for real-time analytics at scale. Apache Druid 27.0 contains over 350 commits & 46 contributors. This release's focus is on stability and scaling...
Learn MoreUnleashing Real-Time Analytics in APJ: Introducing Imply Polaris on AWS AP-South-1
Imply, the company founded by the original creators of Apache Druid, has exciting news for developers in India seeking to build real-time analytics applications. Introducing Imply Polaris, a powerful database-as-a-Service...
Learn MoreEmbedding Visualizations using React and Express
In this guide, we will walk you through creating a very simple web app that shows a different embedded chart for each user selected from a drop-down. While this example is simple it highlights the possibilities...
Learn MoreApache Druid: Making 1000+ QPS for Analytics Look Easy
This 2-part blog post explores key technical considerations to support high QPS for analytics and the strengths of Apache Druid
Learn MoreThings to Consider When Scaling Analytics for High QPS
This 2-part blog post explores key technical considerations to support high QPS for analytics and the strengths of Apache Druid
Learn MoreAutomate Streaming Data Ingestion with Kafka and Druid
In this blog post, we explore the integration of Kafka and Druid for data stream management and analysis, emphasizing automatic topic detection and ingestion. We delve into the creation of 'Ingestion Spec',...
Learn MoreSchema Auto-Discovery with Apache Druid
This guide explores configuring Apache Druid to receive Kafka streaming messages. To demonstrate Druid's game-changing automatic schema discovery. Using a real-world scenario where data changes are handled...
Learn MoreWhat’s new in Imply Polaris – Q2 2023
Imply Polaris, our ever-evolving Database-as-a-Service, recently focused on global expansion, enhanced security, and improved data handling and visualization. This fully managed cloud service, based on Apache...
Learn MoreIntroducing hands-on developer tutorials for Apache Druid
The objective of this blog is to introduce the new set of interactive tutorials focused on the Druid API fundamentals. These tutorials are available as Jupyter Notebooks and can be downloaded as a Docker container.
Learn MoreIntroducing Schema Auto-Discovery in Apache Druid
In this blog article I’ll unpack schema auto-discovery, a new feature now available in Druid 26.0, that enables Druid to automatically discover data fields and data types and update tables to match changing...
Learn MoreExploring Unnest in Druid
Druid now has a new function, Unnest. Unnest explodes an array into individual elements. This blog contains design methodology and examples for this new Unnest function both from native and SQL binding perspectives.
Learn MoreWhat’s new in Imply Polaris – Our Real-Time Analytics DBaaS
Every week we add new features and capabilities to Imply Polaris. This month, we’ve expanded security capabilities, added new query functionality, and made it easier to monitor your service with your preferred...
Learn MoreIntroducing Apache Druid 26.0
Apache Druid® 26.0, an open-source distributed database for real-time analytics, has seen significant improvements with 411 new commits, a 40% increase from version 25.0. The expanded contributor base of 60...
Learn MoreACID and Apache Druid
ACID and Druid, an interesting dive into some of the Druid capabilities in the light of ACID compliance
Learn MoreHow to Build a Sentiment Analysis Application with ChatGPT and Druid
Leveraging ChatGPT for sentiment analysis, when combined with Apache Druid, offers results from large data volumes. This integration is easily achievable, revealing valuable insights and trends for businesses...
Learn MoreSnowflake and Apache Druid
In this blog, we will compare Snowflake and Druid. It is important to note that reporting data warehouses and real-time analytics databases are different domains. Choosing the right tool for your specific requirements...
Learn MoreLearn how to achieve sub-second responses with Apache Druid
Learn how to achieve sub-second responses with Apache Druid. This article is an in-depth look at how Druid resolves queries and describes data modeling techniques that improve performance.
Learn MoreApache Druid – Recovering Dropped Segments
Apache Druid uses load rules to manage the ageing of segments from one historical tier to another and finally to purge old segments from the cluster. In this article, we’ll show what happens when you make...
Learn MoreReal-Time Analytics: Building Blocks and Architecture
This blog identifies the key technical considerations for real-time analytics. It answers what is the right data architecture and why. It spotlights the technologies used at Confluent, Reddit, Target and 1000s...
Learn MoreTransactions Come and Go, but Events are Forever
For decades, analytics has focused on Transactions. While Transactions are still important, the future of analytics is understanding Events.
Learn MoreWhat’s new in Imply Polaris – Our Real-Time Analytics DBaaS
This blog explains some of the new features, functionality and connectivity added to Imply Polaris over the last two months. We've expanded ingestion capabilities, simplified operations and increased reliability...
Learn MoreElasticsearch and Druid
This blog will help you understand what Elasticsearch and Druid do well and will help you decide whether you need one or both to reach your goals
Learn MoreWow, that was easy – Up and running with Apache Druid
The objective of this blog is to provide a step-by-step guide on setting up Druid locally, including the use of SQL ingestion for importing data and executing analytical queries.
Learn MoreTop 7 Questions about Kafka and Druid
Read on to learn more about common questions and answers about using Kafka with Druid.
Learn MoreTales at Scale Podcast Kicks off with the Apache Druid Origin Story
Tales at Scale cracks open the world of analytics projects and shares stories from developers and engineers who are building analytics applications or working within the real-time data space. One of the key...
Learn MoreReal-time Analytics Database uses partitioning and pruning to achieve its legendary performance
Apache Druid uses partitioning (splitting data) and pruning (selecting subset of data) to achieve its legendary performance. Learn how to use the CLUSTERED BY clause during ingestion for performance and high...
Learn MoreEasily embed analytics into your own apps with Imply’s DBaaS
This blog explains how developers can leverage Imply Polaris to embed robust visualization options directly into their own applications without them having to build a UI. This is super important because consuming...
Learn MoreBuilding an Event Analytics Pipeline with Confluent Cloud and Imply’s real time DBaaS, Polaris
Learn how to set up a pipeline that generates a simulated clickstream event stream and sends it to Confluent Cloud, processes the raw clickstream data using managed ksqlDB in Confluent Cloud, delivers the processed...
Learn MoreReal time DBaaS comes to Europe
We are excited to announce the availability of Imply Polaris in Europe, specifically in AWS eu-central-1 region based in Frankfurt. Since its launch in March 2022, Imply Polaris, the fully managed Database-as-a-Service...
Learn MoreStream big, think bigger—Analyze streaming data at scale in 2023
Imply is predicting the next "big thing" in 2023 will be analyzing streaming data in real time (and Druid is built for just that!)
Learn MoreShould You Build or Buy Security Analytics for SecOps?
When should you build—or buy—a security analytics platform for your environment? Here are some common considerations—and how Apache Druid is the ideal foundation for any in-house security solution.
Learn MoreIntroducing Apache Druid 25.0
Apache Druid 25.0 contains over 293 updates from over 56 contributors.
Learn More2022 in Review: A Breakout Year for Druid, A Banner Year for Imply
2022 was a great year for Druid AND Imply!
Learn MoreDruid and SQL syntax
This is a technical blog, which summarises the process of extending the Druid's SQL grammar for ingestion and delves into the nitty gritty of Calcite.
Learn MoreNative support for semi-structured data in Apache Druid
Describes a new feature- ingest complex data as is into Druid- massive improvement in developer productivity
Learn MoreReal-Time Analytics with Imply Polaris: From Setup to Visualization
Imply Polaris offers reduced operational overhead and elastic scaling for efficient real-time analytics that helps you unlock your data's potential.
Learn MoreDatanami Award
Apache Druid won Datanami's 2022 Readers’ and Editors’ Choice Awards for Reader's Choice "Best Data and AI Product or Technology: Analytics Database".
Learn MoreAlerting and Security Features in Polaris
Describes new features - alerts and some security features- and how Imply customers can leverage it
Learn MoreIngestion from Amazon Kinesis and S3 into Imply Polaris
Imply Polaris now supports data ingestion from Amazon Kinesis and Amazon S3
Learn MoreGetting the Most Out of your Data
Ingesting data from one table to another is easy and fast in Imply Polaris!
Learn MoreCombating financial fraud and money laundering at scale with Apache Druid
Learn how Apache Druid enables financial services firms and FinTech companies to get immediate insights from petabytes-plus data volumes for anti-fraud and anti-money laundering compliance.
Learn MoreWhat’s new in Imply – December 2022
This is a what's new to Imply in Dec 2022. We’ve added two new features to Imply Polaris to make it easier for your end users to take advantage of real-time insights.
Learn MoreWhat’s New in Imply Polaris – November 2022
This blog provides an overview for the new features, functionality, and connectivity to Imply Polaris for November 2022.
Learn MoreImply Pivot delivers the final mile for modern analytics applications
This blog is focused on how Imply Pivot delivers the final mile for building an anlaytics app. It showcases two customer examples - Twitch and ironsource.
Learn MoreWhy Analytics Need More than a Data Warehouse
For decades, analytics has been defined by the standard reporting and BI workflow, supported by the data warehouse. Now, 1000s of companies are realizing an expansion of analytics beyond reporting, which requires...
Learn MoreWhy Open Source Matters for Databases
Apache Druid is at the heart of Imply. We’re an open source business, and that’s why we’re committed to making Druid the best open source database for modern analytics applications
Learn MoreIngestion from Confluent Cloud and Kafka in Polaris
How to ingest data into Imply Polaris from Confluent Cloud and from Apache Kafka
Learn MoreWhat Makes a Database Built for Streaming Data?
For an analytics app to handle real-time, streaming sources, it must be built for streaming data. Druid has 3 essential features for stream data.
Learn MoreSQL-based Transformations and JSON Columns in Imply Polaris
You can easily do data transformations and manage JSON data with Imply Polaris, both using SQL.
Learn MoreApproximate Distinct Counts in Imply Polaris
When it comes to modern data analytics applications, speed is of the utmost importance. In this blog we discuss two approximation algorithms which can be used to greatly enhance speed with only a slight reduction...
Learn MoreThe next chapter for Imply Polaris: celebrating 250+ accounts, continued innovation
Today we announced the next iteration of Imply Polaris, the fully managed Database-as-a-Service that helps you build modern analytics applications faster, cheaper, and with less effort. Since its launch in...
Learn MoreIntroducing Imply’s Total Value Guarantee for Apache Druid
Apache Druid 24.0 contains 450 updates and new features, major performance enhancements, bug fixes, and major documentation improvements
Learn MoreIntroducing Apache Druid 24.0
Apache Druid 24.0 contains 450 updates and new features, major performance enhancements, bug fixes, and major documentation improvements
Learn MoreUsing Imply Pivot with Druid to Deduplicate Timeseries Data
Imply Pivot offers multi step aggregations, which is valuable for timeseries data where measures are not evenly distributed in time.
Learn MoreA Look Under the Surface at Polaris Security
We have taken a security-first approach in building the easiest real-time database for modern analytics applications.
Learn MoreUpserts and Data Deduplication with Druid
A look at what can be done with Druid for upserts and data deduplication.
Learn MoreWhat Developers Can Build with Apache Druid
We obviously talk a lot about #ApacheDruid on here. But what are folks actually building with Druid? What is a modern analytics application, exactly? Let's find out
Learn MoreWhen Streaming Analytics… Isn’t
Nearly all databases are designed for batch processing, which leaves three options for stream analytics.
Learn MoreApache Druid vs. Snowflake
Elasticity is important, but beware the database that can only save you money when your application is not in use. The best solution will have excellent price-performance under all conditions.
Learn MoreDruid 0.23 – Features And Capabilities For Advanced Scenarios
Many of Druid’s improvements focus on building a solid foundation, including making the system more stable, easier to use, faster to scale, and better integrated with the rest of the data ecosystem. But for...
Learn MoreIntroducing Apache Druid 0.23
Apache Druid 0.23.0 contains over 450 updates, including new features, major performance enhancements, bug fixes, and major documentation improvements.
Learn MoreAn Opinionated Guide to Component APIs
We have collected a number of guidelines for React component APIs that make components more predictable in terms of behavior and performance.
Learn MoreDruid Architecture & Concepts
In a world full of databases, learn how Apache Druid makes real-time analytics apps a reality in this Whitepaper from Imply
Learn More3 decisions that shaped the Polaris UI
Imply Polaris is a fully managed database-as-a-service for building realtime analytics applications. John is the tech lead for the Polaris UI, known internally as the Unified App. It began with a profound question:...
Learn MoreHow Imply Polaris takes a security-first approach
A primer for developers on security tools and controls available in Imply Polaris
Learn MoreImply Raises $100MM in Series D funding
There is a new category within data analytics emerging which is not centered in the world of reports and dashboards (the purview of data analysts and data scientists), but instead centered in the world of applications...
Learn MoreImply Named “Cool Database Vendor” by CRN
There can’t be one database good at everything. When it comes to real-time analytics, you need a database built for it.
Learn MoreLiving the Stream
We are in the early stages of a stream revolution, as developers build modern transactional and analytic applications that use real-time data continuously delivered.
Learn MoreMigrating Data from ClickHouse to Imply Polaris
In this blog, we’ll review the simple steps to export data from ClickHouse in a format that is easy to ingest into Polaris.
Learn MoreApache Druid vs. ClickHouse
Developers and architects must look beyond query performance to understand the operational realities of growing and managing a high performance database and if it will consume their valuable time.
Learn MoreJava Keytool, TLS, and Zookeeper Security
Lean the basics of Public Key Infrastructure (PKI) as it relates to Druid and Zookeeper security.
Learn MoreFor April 1st: a New Description of Apache Druid from Our Youngest Technical Architect
A simple set of instructions to deploy Apache Druid on minikube using minio for local deep storage on your laptop.
Learn MoreDistributed by Nature: Druid at Scale
Horizontal scaling is the key to performance at scale, which is why every database claims this. You should investigate, though, to see how much effort it takes, especially compared to Apache Druid.
Learn MoreAtomic Replace in Polaris
When you think of querying with Apache Druid, you probably imagine queries over massive data sets that run in less than a second. This blog is about some of the things we did as a team to discover the user...
Learn MoreAnnouncing Imply Polaris
Today, we're excited to announce a major leap forward in ease-of-use with the introduction of Imply Polaris, our fully-managed, database-as-a-service.
Learn MoreBuilding Analytics for External Users is a Whole Different Animal
Analytics aren’t just for internal stakeholders anymore. If you’re building an analytics application for customers, then you’re probably wondering…what’s the right database backend?
Learn MoreClustered Apache Druid® on your Laptop – Easy!
A simple set of instructions to deploy Apache Druid on minikube using minio for local deep storage on your laptop.
Learn MoreWhy Data Needs More than CRUD
After over 30 years of working with data analytics, we’ve been witness (and sometimes participant) to three major shifts in how we find insights from data - and now we’re looking at the fourth.
Learn MoreThe Rise of a New Analytics Hero in 2022
Every year industry pundits predict data and analytics becoming more valuable the following year. But this doesn’t take a crystal ball to predict. There’s instead something much more interesting happening...
Learn MoreA new shape for Apache Druid
Today, I'm prepared to share our progress on this effort and some of our plans for the future. But before diving further into that, let's take a closer look at how Druid's core query engine executes queries,...
Learn MoreProduct Update: SSO, Cluster level authorization, OAuth 2.0 and more security features
When you think of querying with Apache Druid, you probably imagine queries over massive data sets that run in less than a second. This blog is about some of the things we did as a team to discover the user...
Learn MoreMulti-dimensional range partitioning
When you think of querying with Apache Druid, you probably imagine queries over massive data sets that run in less than a second. This blog is about some of the things we did as a team to discover the user...
Learn MoreLog4Shell Vulnerability and Mitigation
A critical vulnerability has recently been discovered in Apache Log4j, a popular logging library for Java projects.
Learn MoreDruid Nails Cost Efficiency Challenge Against ClickHouse & Rockset
To make a long story short, we were pleased to confirm that Druid is 2 times faster than ClickHouse and 8 times faster than Rockset with fewer hardware resources!.
Learn MoreUnveiling Project Shapeshift Nov. 9th at Druid Summit 2021
There is a new category within data analytics emerging which is not centered in the world of reports and dashboards (the purview of data analysts and data scientists), but instead centered in the world of applications...
Learn MoreHow we made long-running queries work in Apache Druid
When you think of querying with Apache Druid, you probably imagine queries over massive data sets that run in less than a second. This blog is about some of the things we did as a team to discover the user...
Learn MoreAuto Scaling real-time Kafka Ingestion FTW!
Uneven traffic flow in streaming pipelines is a common problem. Providing the right level of resources to keep up with spikes in demand is a requirement in order to deliver timely analytics.
Learn MoreCommunity Discoveries: multi-value dimensions in Apache Druid
Hellmar Becker is an Imply solutions engineer based in Germany, where he has been delving into the nooks-and-crannies of multi-valued dimension support in Druid. In this interview, Hellmar explains why...
Learn MoreCommunity Spotlight: Apache Pulsar and Apache Druid get close…
The community team at Imply spoke with an Apache Pulsar community member, Giannis Polyzos, about how collaboration between open source communities generates great things, and more specifically, about how...
Learn MoreMeet the team: Abhishek Agarwal, engineering lead in India
Abhishek is Imply’s first engineer in India. We spoke to him about setting up our operations in Bangalore and asked what kind of local talent the company is looking for.
Learn MoreMeet the team: Jihoon Son, Software Engineer
Jihoon Son is a software engineer at Imply who works on Apache Druid®. He explains what drew him to Imply five years ago and why he’s even more inspired by the company today.
Learn More