一:Flume:
1.1:flume简介
Flume is a distributed, reliable, and available service for efficiently collecting, aggregating, and moving large amounts of log data
Apache flume是一个分布式、可靠、和高可用的海量日志采集、聚合和传输的系统,用于有效地收集、聚合和将大量日志数据从许多不同的源移动到一个集中的数据存储(如文本、HDFS、Hbase等)。
其使用不仅仅限于日志数据聚合。因为数据源是可定制的(内置Avro,Thrift
Syslog,Netcat),Flume可以用于传输大量事件数据,包括但不限于网络流量数据、社交媒体生成的数据、电子邮件消息和几乎所有可能的数据源。
1.2:flume的工作过程
flume的数据流由事件(Event)贯穿始终。事件是Flume的基本数据单位,它携带日志数据(字节数组形式)并且携带有头信息,这些Event由Agent外部的Source生成,当Source捕获事件后会进行特定的格式化,然后Source会把事件推入(单个或多个)Channel中。你可以把Channel看作是一个缓冲区,它将保存事件直到Sink处理完该事件。Sink负责持久化日志或者把事件推向另一个Source。
1.3:flume的组件
source : 数据源组件,专门读取相对应的数据,并将数据传到channel中.
channel : 管道,用于连接source和sink
sink : 数据下沉组件,用于将channel中的数据持久化到对应的文件系统中或者流中。
agent : flume的运行单元,里面必须包含一个或者多个source、channel、sink,运行在单个jvm中。
event : 事件,是数据的描述。
interceptor : 拦截器,作用于source阶段,用于过滤数据。
selectorer : 选择器,作用于source阶段,默认是replicating,也就是复用功能。mutiplxing
groupsinks : sink组,用于将多个sink选择sink。
1.4:常见的组件类型以及属性
source常用组件:exec、avro source 、 spooling dirctory 、kafka 、netcat 、http、自定义
channel常用:memory 、 file 、kafka 、 jdbc
sinks常用 : logger 、avro 、 hdfs 、hive 、hbase、kafka等
1.4.1 Syslog Sources的一些属性1.4.2 tcp source 的一些属性
1.4.3 HTTP Source 的一些属性
1.4.4 HDFS Sink 的一些属性
1.4.5 Hive Sink 的一些属性
1.5:案例1:exec -->memory -->logger
监控一个文件到logger
vi ./conf/first.conf
#定义source|channel|sink组件
a1.sources = r1
a1.sinks = k1
a1.channels = c1
#配置r1的属性
a1.sources.r1.type = exec
a1.sources.r1.command = tail -F /home/flume/test
#配置sinks的属性
a1.sinks.k1.type = logger
#配置channel的属性
a1.channels.c1.type = memory #指定channel的类型为内存
a1.channels.c1.capacity = 10000 #存储事件的最大数量
a1.channels.c1.transactionCapacity = 10000 #接受的最大数量
#绑定source与sink于channel
a1.sources.r1.channels = c1
a1.sinks.k1.channel = c1
测试:
flume-ng agent -c conf/ -f conf/first.conf -n a1 -Dflume.root.logger=INFO,console
echo '123156465' >> /home/flume/test
1.6:案例2:exec -->memory -->hdfs
监控一个文件到hdfs
上传到hdfs
vi ./conf/e2h.conf
#定义source|channel|sink组件
a1.sources = r1
a1.sinks = k1
a1.channels = c1
#配置r1的属性
a1.sources.r1.type = exec
a1.sources.r1.command = tail -F /home/flume/test
#配置sinks的属性
a1.sinks.k1.type = hdfs
a1.sinks.k1.hdfs.path = /flume/events/dt=%y-%m-%d
a1.sinks.k1.hdfs.filePrefix = events- #指定sink写入HDFS文件的前缀名
a1.sinks.k1.hdfs.round = true #是否开启时间戳的四舍五入
a1.sinks.k1.hdfs.roundValue = 10 #舍弃十分钟,也就是该目录每十分钟生成一个
a1.sinks.k1.hdfs.fileType=DataStream #文件格式默认SequenceFile,--DateStream不会压缩输出文件
a1.sinks.k1.hdfs.writeFormat=Text #向DFS文件里写的格式
a1.sinks.k1.hdfs.roundUnit = minute #四舍五入的最小单位
a1.sinks.k1.hdfs.useLocalTimeStamp=true
#配置channel的属性
a1.channels.c1.type = memory
a1.channels.c1.capacity = 10000
a1.channels.c1.transactionCapacity = 10000
#绑定source与sink于channel
a1.sources.r1.channels = c1
a1.sinks.k1.channel = c1
测试:
flume-ng agent -c conf/ -f conf/e2h.conf -n a1 -Dflume.root.logger=INFO,console
参数:
hdfs.rollInterval
hdfs.rollSize
hdfs.rollCount
1.7:案例3、 spooldir + memory + logger
监控目录
vi ./conf/spooldir
a1.sources=r1
a1.channels=c1
a1.sinks=s1
a1.sources.r1.type=spoolDir
a1.sources.r1.spoolDir=/home/flume #自己定义的spooldir的文件目录
a1.sources.r1.fileHeader=true #是否在event的Header中添加文件名
a1.sources.r1.fileHeaderKey=file
a1.channels.c1.type=memory
a1.channels.c1.capacity=1000
a1.channels.c1.transactionCapacity=100
a1.channels.c1.keep-alive=3
a1.channels.c1.byteCapacityBufferPercentage = 20
a1.channels.c1.byteCapacity = 800000
a1.sinks.s1.type = logger
a1.sources.r1.channels=c1
a1.sinks.s1.channel=c1
启动agent:
flume-ng agent -c ./conf/ -f ./conf/spooldir.conf -n a1 -Dflume.root.logger=INFO,console
测试:
向目录下添加文件
1.8:案例4、 syslogtcp + memory + logger
监控tcp
vi ./conf/syslogtcp.conf
a1.sources=r1
a1.channels=c1
a1.sinks=s1
a1.sources.r1.type=syslogtcp
a1.sources.r1.port=6666
a1.sources.r1.host=master
a1.channels.c1.type=memory
a1.channels.c1.capacity=1000
a1.channels.c1.transactionCapacity=100
a1.channels.c1.keep-alive=3
a1.channels.c1.byteCapacityBufferPercentage = 20
a1.channels.c1.byteCapacity = 800000
a1.sinks.s1.type = logger
a1.sources.r1.channels=c1
a1.sinks.s1.channel=c1
启动agent:
flume-ng agent -c ./conf/ -f ./conf/syslogtcp.conf -n a1 -Dflume.root.logger=INFO,console
测试:
echo "hello flume" | nc master 6666
1.9:案例5、 http + memory + logger
监控http
vi ./conf/http.conf
a1.sources=r1
a1.channels=c1
a1.sinks=s1
a1.sources.r1.type=org.apache.flume.source.http.HTTPSource
a1.sources.r1.port=6667
a1.sources.r1.bind=master
a1.channels.c1.type=memory
a1.channels.c1.capacity=1000
a1.channels.c1.transactionCapacity=100
a1.channels.c1.keep-alive=3
a1.channels.c1.byteCapacityBufferPercentage = 20
a1.channels.c1.byteCapacity = 800000
a1.sinks.s1.type = logger
a1.sources.r1.channels=c1
a1.sinks.s1.channel=c1
启动agent:
flume-ng agent -c ./conf/ -f ./conf/http.conf -n a1 -Dflume.root.logger=INFO,console
测试:
curl -X POST -d '[{"headers":{"time":"2017-06-13"},"body":"this is http"}]' http://master:6667
1.10:案例6、 exec + file + hdfs
监控文件 管道落地有检查点 速度慢但是准确性有保证 写入到hdfs
vi ./conf/file.conf
a1.sources=r1
a1.channels=c1
a1.sinks=s1
a1.sources.r1.type=exec
a1.sources.r1.command= tail -f /home/flumedata/exedata
a1.channels.c1.type=file
a1.channels.c1.checkpointDir=/home/flumedata/checkpoint
a1.channels.c1.dataDirs=/home/flumedata/data
a1.sinks.s1.type = hdfs
a1.sinks.s1.hdfs.path = hdfs://hd/flumedata/events/%y-%m-%d/%H%M/%S
a1.sinks.s1.hdfs.filePrefix = master-
a1.sinks.s1.hdfs.fileSuffix=.log
a1.sinks.s1.hdfs.inUseSuffix=.tmp
a1.sinks.s1.hdfs.rollInterval=2
a1.sinks.s1.hdfs.rollSize=1024
a1.sinks.s1.hdfs.fileType=DataStream
a1.sinks.s1.hdfs.writeFormat=Text
a1.sinks.s1.hdfs.round = true
a1.sinks.s1.hdfs.roundValue = 1
a1.sinks.s1.hdfs.roundUnit = second
a1.sinks.s1.hdfs.useLocalTimeStamp=true
a1.sources.r1.channels=c1
a1.sinks.s1.channel=c1
启动agent:
flume-ng agent -c ./conf/ -f ./conf/file.conf -n a1 -Dflume.root.logger=INFO,console
测试:
echo 'addtest txt' >> /home/flumedata/exedata
二:flume拦截器
拦截器的种类介绍
1、Timestamp Interceptor(时间戳拦截器)
flume中一个最经常使用的拦截器 ,该拦截器的作用是将时间戳插入到flume的事件报头中。如果不使用任何拦截器,flume接受到的只有message。时间戳拦截器的配置。 参数 默认值 描述 type 类型名称timestamp,也可以使用类名的全路径 preserveExisting false 如果设置为true,若事件中报头已经存在,不会替换时间戳报头的值
2、Host Interceptor(主机拦截器)
主机拦截器插入服务器的ip地址或者主机名,agent将这些内容插入到事件的报头中。时间报头中的key使用hostHeader配置,默认是host。主机拦截器的配置参数 默认值 描述 type 类型名称host hostHeader host 事件投的key useIP true 如果设置为false,host键插入主机名 preserveExisting false 如果设置为true,若事件中报头已经存在,不会替换host报头的值
3、静态拦截器(Static Interceptor)
静态拦截器的作用是将k/v插入到事件的报头中。配置如下参数 默认值 描述 type 类型名称static key key 事件头的key value value key对应的value值 preserveExisting true 如果设置为true,若事件中报头已经存在该key,不会替换value的值source连接到静态拦截器的配置:
4、正则过滤拦截器(Regex Filtering Interceptor)
在日志采集的时候,可能有一些数据是我们不需要的,这样添加过滤拦截器,可以过滤掉不需要的日志,也可以根据需要收集满足正则条件的日志。参数默认值描述 type 类型名称REGEX_FILTER regex .* 匹配除“\n”之外的任何个字符 excludeEvents false 默认收集匹配到的事件。如果为true,则会删除匹配到的event,收集未匹配到的。
2.1:案例1、
静态拦截器的作用是将k/v插入到事件的报头中
vi ./conf/ts1.conf
a1.sources=r1
a1.channels=c1
a1.sinks=s1
a1.sources.r1.type=exec
a1.sources.r1.command= tail -f /home/flumedata/exedata
a1.sources.r1.interceptors = i1 i2 i3
a1.sources.r1.interceptors.i1.type = timestamp
a1.sources.r1.interceptors.i1.preserveExisting=true
a1.sources.r1.interceptors.i2.type = host
a1.sources.r1.interceptors.i2.hostHeader = hostname
a1.sources.r1.interceptors.i2.preserveExisting=true
a1.sources.r1.interceptors.i3.type = static
a1.sources.r1.interceptors.i3.key = city
a1.sources.r1.interceptors.i3.value = NEW_YORK
a1.channels.c1.type=memory
a1.channels.c1.capacity=1000
a1.channels.c1.transactionCapacity=100
a1.channels.c1.keep-alive=3
a1.channels.c1.byteCapacityBufferPercentage = 20
a1.channels.c1.byteCapacity = 800000
a1.sinks.s1.type = hdfs
a1.sinks.s1.hdfs.path = hdfs://hd/flume/events/%y-%m-%d/%H%M/%S
a1.sinks.s1.hdfs.filePrefix = %{hostname}-
a1.sinks.s1.hdfs.fileSuffix=.log
a1.sinks.s1.hdfs.inUseSuffix=.tmp
a1.sinks.s1.hdfs.rollInterval=2
a1.sinks.s1.hdfs.rollSize=1024
a1.sinks.s1.hdfs.fileType=DataStream
a1.sinks.s1.hdfs.writeFormat=Text
a1.sinks.s1.hdfs.round = true
a1.sinks.s1.hdfs.roundValue = 1
a1.sinks.s1.hdfs.roundUnit = second
a1.sinks.s1.hdfs.useLocalTimeStamp=false
a1.sources.r1.channels=c1
a1.sinks.s1.channel=c1
启动agent:
flume-ng agent -c ./conf/ -f ./conf/ts1.conf -n a1 -Dflume.root.logger=INFO,console
测试:
2.2:案例2、正则拦截器
根据正则表达式过滤监控内容
1~9开头的
vi ./conf/rex.conf
a1.sources=r1
a1.channels=c1
a1.sinks=s1
a1.sources.r1.type=exec
a1.sources.r1.command= tail -f /home/flumedata/exedata
a1.sources.r1.interceptors = i1
a1.sources.r1.interceptors.i1.type = regex_filter
a1.sources.r1.interceptors.i1.regex=^[0-9].*$
a1.sources.r1.interceptors.i1.excludeEvents=false
a1.channels.c1.type=memory
a1.channels.c1.capacity=1000
a1.channels.c1.transactionCapacity=100
a1.channels.c1.keep-alive=3
a1.channels.c1.byteCapacityBufferPercentage = 20
a1.channels.c1.byteCapacity = 800000
a1.sinks.s1.type = logger
a1.sources.r1.channels=c1
a1.sinks.s1.channel=c1
启动agent:
flume-ng agent -c ./conf/ -f ./conf/rex.conf -n a1 -Dflume.root.logger=INFO,console
测试:
三:flume选择器
3.1:案例1、复制选择器
读监控文件复制到两个或多个上(logger和hdfs)
vi ./conf/rep.conf
a1.sources=r1
a1.channels=c1 c2
a1.sinks=s1 s2
a1.sources.r1.type=exec
a1.sources.r1.command= tail -f /home/flumedata/exedata
a1.sources.r1.selector.type = replicating
a1.sources.r1.selector.optional = c2
a1.channels.c1.type=memory
a1.channels.c1.capacity=1000
a1.channels.c1.transactionCapacity=100
a1.channels.c1.keep-alive=3
a1.channels.c1.byteCapacityBufferPercentage = 20
a1.channels.c1.byteCapacity = 800000
a1.channels.c2.type=memory
a1.channels.c2.capacity=1000
a1.channels.c2.transactionCapacity=100
a1.channels.c2.keep-alive=3
a1.channels.c2.byteCapacityBufferPercentage = 20
a1.channels.c2.byteCapacity = 800000
a1.sinks.s1.type = logger
a1.sinks.s2.type = hdfs
a1.sinks.s2.hdfs.path = hdfs://hd/flume/events/%y-%m-%d/%H%M/%S
a1.sinks.s2.hdfs.filePrefix = event-
a1.sinks.s2.hdfs.fileSuffix=.log
a1.sinks.s2.hdfs.inUseSuffix=.tmp
a1.sinks.s2.hdfs.rollInterval=2
a1.sinks.s2.hdfs.rollSize=1024
a1.sinks.s2.hdfs.fileType=DataStream
a1.sinks.s2.hdfs.writeFormat=Text
a1.sinks.s2.hdfs.round = true
a1.sinks.s2.hdfs.roundValue = 1
a1.sinks.s2.hdfs.roundUnit = second
a1.sinks.s2.hdfs.useLocalTimeStamp=true
a1.sources.r1.channels=c1 c2
a1.sinks.s1.channel=c1
a1.sinks.s2.channel=c2
3.2:案例4、复分选择器
根据条件分发到两个或者多个上(logger和hdfs)
vi ./conf/mul.conf
a1.sources=r1
a1.channels=c1 c2
a1.sinks=s1 s2
a1.sources.r1.type=org.apache.flume.source.http.HTTPSource
a1.sources.r1.port=6668
a1.sources.r1.bind=master
a1.sources.r1.selector.type = multiplexing
a1.sources.r1.selector.header = status
a1.sources.r1.selector.mapping.CZ = c1
a1.sources.r1.selector.mapping.US = c2
a1.sources.r1.selector.default = c1
a1.channels.c1.type=memory
a1.channels.c1.capacity=1000
a1.channels.c1.transactionCapacity=100
a1.channels.c1.keep-alive=3
a1.channels.c1.byteCapacityBufferPercentage = 20
a1.channels.c1.byteCapacity = 800000
a1.channels.c2.type=memory
a1.channels.c2.capacity=1000
a1.channels.c2.transactionCapacity=100
a1.channels.c2.keep-alive=3
a1.channels.c2.byteCapacityBufferPercentage = 20
a1.channels.c2.byteCapacity = 800000
a1.sinks.s1.type = logger
a1.sinks.s2.type = hdfs
a1.sinks.s2.hdfs.path =hdfs://hd/flume/events/%y-%m-%d/%H%M/%S
a1.sinks.s2.hdfs.filePrefix = event-
a1.sinks.s2.hdfs.fileSuffix=.log
a1.sinks.s2.hdfs.inUseSuffix=.tmp
a1.sinks.s2.hdfs.rollInterval=2
a1.sinks.s2.hdfs.rollSize=1024
a1.sinks.s2.hdfs.fileType=DataStream
a1.sinks.s2.hdfs.writeFormat=Text
a1.sinks.s2.hdfs.round = true
a1.sinks.s2.hdfs.roundValue = 1
a1.sinks.s2.hdfs.roundUnit = second
a1.sinks.s2.hdfs.useLocalTimeStamp=true
a1.sources.r1.channels=c1 c2
a1.sinks.s1.channel=c1
a1.sinks.s2.channel=c2
测试数据:
flume-ng agent -c ./conf/ -f ./conf/mul -n a1 -Dflume.root.logger=INFO,console
curl -X POST -d '[{"headers":{"status":"2017-06-13"},"body":"this is default"}]' http://master:6669
curl -X POST -d '[{"headers":{"status":"CZ"},"body":"this is CZ"}]' http://master:6669
curl -X POST -d '[{"headers":{"status":"US"},"body":"this is US"}]' http://master:6669 结果要到hdfs上看
curl -X POST -d '[{"headers":{"status":"ss"},"body":"this is ss"}]' http://master:6669
四:flume的集群搭建
4.1案例1、两个或多个集中到一个节点上。
创建三个文件 分别存放配置文件。vi hdflume.conf conf下
master监控得到的内容发送到hdp02 hdp01监控到内容也给hdp02
master的配置:
a1.sources=r1
a1.channels=c1
a1.sinks=s1
a1.sources.r1.type=syslogtcp
a1.sources.r1.port=6669
a1.sources.r1.host=master
a1.channels.c1.type=memory
a1.channels.c1.capacity=1000
a1.channels.c1.transactionCapacity=100
a1.channels.c1.keep-alive=3
a1.channels.c1.byteCapacityBufferPercentage = 20
a1.channels.c1.byteCapacity = 800000
a1.sinks.s1.type =avro
a1.sinks.s1.hostname=hdp02
a1.sinks.s1.port=6669
a1.sources.r1.channels=c1
a1.sinks.s1.channel=c1
hdp01的配置:
a1.sources=r1
a1.channels=c1
a1.sinks=s1
a1.sources.r1.type=syslogtcp
a1.sources.r1.port=6669
a1.sources.r1.host=hdp01
a1.channels.c1.type=memory
a1.channels.c1.capacity=1000
a1.channels.c1.transactionCapacity=100
a1.channels.c1.keep-alive=3
a1.channels.c1.byteCapacityBufferPercentage = 20
a1.channels.c1.byteCapacity = 800000
a1.sinks.s1.type =avro
a1.sinks.s1.hostname=hdp02
a1.sinks.s1.port=6669
a1.sources.r1.channels=c1
a1.sinks.s1.channel=c1
hdp02的配置:
agent.sources=r1
agent.channels=c1
agent.sinks=s1
agent.sources.r1.type=avro
agent.sources.r1.port=6669
agent.sources.r1.bind=hdp02
agent.channels.c1.type=memory
agent.channels.c1.capacity=1000
agent.channels.c1.transactionCapacity=100
agent.channels.c1.keep-alive=3
agent.channels.c1.byteCapacityBufferPercentage = 20
agent.channels.c1.byteCapacity = 800000
agent.sinks.s1.type =logger
agent.sources.r1.channels=c1
agent.sinks.s1.channel=c1
先启动hdp02的agent: flume-1.6.0下
flume-ng agent -c ./conf/ -f ./conf/hdflume -n agent -Dflume.root.logger=INFO,console &
然后再启动master和hdp01的agent:
flume-ng agent -c ./conf/ -f ./conf/hdflume -n a1 -Dflume.root.logger=INFO,console &
flume-ng agent -c ./conf/ -f ./conf/hdflume -n a1 -Dflume.root.logger=INFO,console &
####然后测试:
在master或者dhp01上
echo "hello qianfeng" | nc master 6669
echo "hello qianfeng" | nc hdp01 6669
4.2案例2、负载均衡
master向hdp01 hdp02发送 二者随机接收
vi myhatest.conf
agent.sources=r1
agent.channels=c1
agent.sinks=s1 s2
agent.sinkgroups =g1
agent.sources.r1.type=exec
agent.sources.r1.command= tail -f /home/flumedata/exedata
agent.channels.c1.type=file
agent.channels.c1.checkpointDir=/home/flumedata/checkpoint
agent.channels.c1.dataDirs=/home/flumedata/data
agent.sinkgroups.g1.sinks = s1 s2
agent.sinkgroups.g1.processor.type=load_balance
agent.sinkgroups.g1.processor.backoff=true
agent.sinkgroups.g1.processor.selector = random
agent.sinkgroups.g1.processor.selector.maxTimeOut =10000
agent.sinks.s1.type =avro
agent.sinks.s1.batchSize=1
agent.sinks.s1.hostname=hdp01
agent.sinks.s1.port=6669
agent.sinks.s2.type =avro
agent.sinks.s2.batchSize=1
agent.sinks.s2.hostname=hdp02
agent.sinks.s2.port=6669
agent.sources.r1.channels = c1
agent.sinks.s1.channel=c1
agent.sinks.s2.channel=c1
hdp01 hdp02同
vi myhatest.conf
agent.sources=r1
agent.channels=c1
agent.sinks=s1
agent.sources.r1.type=avro
agent.sources.r1.port=6669
agent.sources.r1.bind=0.0.0.0
agent.sources.r1.channels=c1
agent.channels.c1.type=file
agent.channels.c1.checkpointDir=/home/flumedata/checkpoint
agent.channels.c1.dataDirs=/home/flumedata/data
agent.sinks.s1.type = logger
agent.sinks.s1.channel = c1
启动:先启动hdp01 和 hdp02。之后启动master
flume-ng agent -c ./conf/ -f ./conf/myhatest.conf -n agent -Dflume.root.logger=INFO,console
flume-ng agent -c ./conf/ -f ./conf/myhatest.conf -n agent -Dflume.root.logger=INFO,console
flume-ng agent -c ./conf/ -f ./conf/myhatest.conf -n agent -Dflume.root.logger=INFO,console
测试:echo ‘4564’ >> /home/flumedata/exedata 可以多次执行 也可以执行下面语句。
for i in `sep 1 1000` : do echo ‘thisd is ${i}’ >> /home/flumedata/exedata 循环执行1000次 看结果是否均衡分发给两个节点。