Announcing Data Prepper 2.0.0
The Data Prepper maintainers are proud to announce the release of Data Prepper 2.0. This release makes Data Prepper easier to use and helps you improve your observability stack based on feedback from our users. Data Prepper 2.0 retains compatibility with all current versions of OpenSearch.
Here are some of the major changes and enhancements made for Data Prepper 2.0.
Conditional routing
Data Prepper 2.0 supports conditional routing to help pipeline authors send different logs to specific OpenSearch clusters.
One common use case for conditional routing is reducing the volume of data going to some clusters. When you want info logs that produce large volumes of data to go to a cluster, to index with more frequent rollovers, or to add deletions to clear out large volumes of data, you can now configure pipelines to route the data with your chosen action.
Simply choose a name appropriate for the domain and a Data Prepper expression. Then for any sink that should only have some data coming through, define one or more routes to apply. Data Prepper will evaluate these expressions for each event to determine which sinks to route these events. Any sink that has no routes defined will accept all events.
For example, consider an application log that includes log data. A typical Java application log might look like the following.
2022-10-10T10:10:10,421 [main] INFO org.example.Application - Saving 10 records to SQL table "orders"
The text that reads INFO
indicates that this is an INFO-level log. Data Prepper pipeline authors can now route logs with this level to only certain OpenSearch clusters.
The following example pipeline takes application logs from the http
source. This source
accepts log data from external sources such as Fluent Bit.
The pipeline then uses the grok
processor to split the log line into multiple fields. The grok
processor adds a
field named loglevel
to the event. Pipeline authors can use that field in routes.
This pipeline contains two OpenSearch sinks. The first sink will only receive logs with a log level of WARN
or ERROR
.
Data Prepper will route all events to the second sink.
application-log-pipeline:
workers: 4
delay: "50"
source:
http:
processor:
- grok:
match:
log: [ "%{NOTSPACE:time} %{NOTSPACE:thread} %{NOTSPACE:loglevel} %{NOTSPACE:class} - %{GREEDYDATA:message}" ]
route:
- warn_and_above: '/loglevel == "WARN" or /loglevel == "ERROR"'
sink:
- opensearch:
routes:
- warn_and_above
hosts: ["https://opensearch:9200"]
insecure: true
username: "admin"
password: "admin"
index: warn-and-above-logs
- opensearch:
hosts: ["https://opensearch:9200"]
insecure: true
username: "admin"
password: "admin"
index: all-logs
There are many other use cases that conditional routing can support. If there are other conditional expressions you’d like to see support for, please create an issue in GitHub.
Peer forwarder
Data Prepper 2.0 introduces peer forwarding as a core feature.
Previous to Data Prepper 2.0, performing stateful trace aggregations required using the peer forwarder processor plugin. But this plugin only worked for traces and would send data back to the source. Also, log aggregations only worked on a single node.
With peer forwarding as a core feature, pipeline authors can perform stateful aggregations on multiple Data Prepper nodes. When performing stateful aggregations, Data Prepper uses a hash ring to determine which nodes are responsible for processing different events based on the values of certain fields. Peer forwarder routes events to the node responsible for processing them. That node then holds the state necessary for performing the aggregation.
To use peer forwarding, configure how Data Prepper discovers other nodes and the security for connections in your
data-prepper-config.yaml
file.
In the following example, Data Prepper discovers other peers by using a DNS query on the my-data-prepper-cluster.production
domain.
When using peer forwarder with DNS, the DNS record should be an A record with a list of IP addresses for peers. The example also uses a custom certificate and private key.
For host verification, it checks the fingerprint of the certificate. Lastly, it configures each server to authenticate requests using
Mutual TLS (mTLS) to prevent data tampering.
peer_forwarder:
discovery_mode: dns
domain_name: "my-data-prepper-cluster.production"
ssl_certificate_file: /usr/share/data-prepper/config/my-certificate.crt
ssl_key_file: /usr/share/data-prepper/config/my-certificate.key
ssl_fingerprint_verification_only: true
authentication:
mutual_tls:
Directory structure
Before the release of Data Prepper 2.0, we distributed Data Prepper as a single executable JAR file. While convenient, this made it difficult for us to include custom plugins.
We now distribute Data Prepper 2.0 in a bundled directory structure. This structure features a shell script to launch Data Prepper and dedicated subdirectories for JAR files, configurations, pipelines, logs, and more.
data-prepper-2.0.0/
bin/
data-prepper # Shell script to run Data Prepper
config/
data-prepper-config.yaml # The Data Prepper configuration file
log4j.properties # Logging configuration
pipelines/ # New directory for pipelines
trace-analytics.yaml
log-ingest.yaml
lib/
data-prepper-core.jar
... any other jar files
logs/
You now can launch Data Prepper by running bin/data-prepper
; there is no need for additional command line arguments or Java system
property definitions. Instead, the application loads configurations from the config/
subdirectory.
Data Prepper 2.0 reads pipeline configurations from the pipelines/
subdirectory. You can now define pipelines across
multiple YAML files in the subdirectory, where each file contains the definition for one or more pipelines. The directory
also helps keep pipeline definition distinct and, therefore, more compact and focused.
JSON and CSV parsing
Many of our users have incoming data with embedded JSON or CSV fields. To help in these use cases, Data Prepper 2.0 supports parsing JSON and CSV.
For example, when one large object includes a serialized JSON string, you can use the parse_json
processor to extract
the fields from the JSON string into your event.
Data Prepper can now import CSV or TSV formatted files from Amazon Simple Storage Service (Amazon S3) sources. This is useful for systems like Amazon CloudFront, which write their access logs as TSV files. Now you can parse these logs using Data Prepper.
Additionally, if your events have
CSV or TSV fields, Data Prepper 2.0 now contains a csv
processor that can create fields from your incoming CSV data.
Other improvements
Data Prepper 2.0 includes a number of other improvements. We want to highlight a few of them.
- The OpenSearch sink now supports
create
actions for OpenSearch when writing documents. Pipeline authors can configure their pipelines to only create new documents and not update existing ones. - The HTTP source now supports loading TLS/SSL credentials from either Amazon S3 or AWS Certificate Manager (ACM). Pipeline authors can now configure them for their log ingestion use cases. Before Data Prepper 2.0, only the OTel Trace Source supported these options.
- Data Prepper now requires Java 11 or higher. The Docker image deploys with JDK 17.
Please see our release notes for a complete list.
Try Data Prepper 2.0
Data Prepper 2.0 is available for download now! The maintainers encourage you to read the latest documentation and try out the new features.