Tutorial: Writing an ingestion spec

    For this tutorial, we’ll assume you’ve already downloaded Apache Druid as described in the single-machine quickstart and have it running on your local machine.

    It will also be helpful to have finished , Tutorial: Querying data, and .

    Suppose we have the following network flow data:

    • : IP address of sender
    • srcPort: Port of sender
    • dstIP: IP address of receiver
    • dstPort: Port of receiver
    • protocol: IP protocol number
    • packets: number of packets transmitted
    • bytes: number of bytes transmitted
    • cost: the cost of sending the traffic

    Save the JSON contents above into a file called ingestion-tutorial-data.json in quickstart/.

    Let’s walk through the process of defining an ingestion spec that can load this data.

    For this tutorial, we will be using the native batch indexing task. When using other task types, some aspects of the ingestion spec will differ, and this tutorial will point out such areas.

    Defining the schema

    The core element of a Druid ingestion spec is the dataSchema. The dataSchema defines how to parse input data into a set of columns that will be stored in Druid.

    Let’s start with an empty dataSchema and add fields to it as we progress through the tutorial.

    Create a new file called ingestion-tutorial-index.json in quickstart/ with the following contents:

    1. "dataSchema" : {}

    We will be making successive edits to this ingestion spec as we progress through the tutorial.

    The datasource name is specified by the dataSource parameter in the dataSchema.

    1. "dataSchema" : {
    2. "dataSource" : "ingestion-tutorial",
    3. }

    Let’s call the tutorial datasource ingestion-tutorial.

    Time column

    The dataSchema needs to know how to extract the main timestamp field from the input data.

    The timestamp column in our input data is named “ts”, containing ISO 8601 timestamps, so let’s add a timestampSpec with that information to the dataSchema:

    1. "dataSchema" : {
    2. "dataSource" : "ingestion-tutorial",
    3. "timestampSpec" : {
    4. "format" : "iso",
    5. "column" : "ts"
    6. }
    7. }

    Now that we’ve defined the time column, let’s look at definitions for other columns.

    Druid supports the following column types: String, Long, Float, Double. We will see how these are used in the following sections.

    Before we move on to how we define our other non-time columns, let’s discuss rollup first.

    Rollup

    When ingesting data, we must consider whether we wish to use rollup or not.

    • If rollup is disabled, then all columns are treated as “dimensions” and no pre-aggregation occurs.

    For this tutorial, let’s enable rollup. This is specified with a granularitySpec on the dataSchema.

    1. "dataSchema" : {
    2. "dataSource" : "ingestion-tutorial",
    3. "timestampSpec" : {
    4. "format" : "iso",
    5. "column" : "ts"
    6. },
    7. "granularitySpec" : {
    8. "rollup" : true
    9. }
    10. }

    Choosing dimensions and metrics

    For this example dataset, the following is a sensible split for “dimensions” and “metrics”:

    • Dimensions: srcIP, srcPort, dstIP, dstPort, protocol
    • Metrics: packets, bytes, cost

    The dimensions here are a group of properties that identify a unidirectional flow of IP traffic, while the metrics represent facts about the IP traffic flow specified by a dimension grouping.

    Let’s look at how to define these dimensions and metrics within the ingestion spec.

    Dimensions

    Dimensions are specified with a dimensionsSpec inside the dataSchema.

    1. "dataSchema" : {
    2. "dataSource" : "ingestion-tutorial",
    3. "timestampSpec" : {
    4. "format" : "iso",
    5. "column" : "ts"
    6. },
    7. "dimensionsSpec" : {
    8. "dimensions": [
    9. "srcIP",
    10. { "name" : "srcPort", "type" : "long" },
    11. { "name" : "dstIP", "type" : "string" },
    12. { "name" : "dstPort", "type" : "long" },
    13. { "name" : "protocol", "type" : "string" }
    14. ]
    15. },
    16. "granularitySpec" : {
    17. "rollup" : true
    18. }
    19. }

    Each dimension has a name and a type, where type can be “long”, “float”, “double”, or “string”.

    Note that srcIP is a “string” dimension; for string dimensions, it is enough to specify just a dimension name, since “string” is the default dimension type.

    Also note that protocol is a numeric value in the input data, but we are ingesting it as a “string” column; Druid will coerce the input longs to strings during ingestion.

    Strings vs. Numerics

    Should a numeric input be ingested as a numeric dimension or as a string dimension?

    Numeric dimensions have the following pros/cons relative to String dimensions:

    • Pros: Numeric representation can result in smaller column sizes on disk and lower processing overhead when reading values from the column
    • Cons: Numeric dimensions do not have indices, so filtering on them will often be slower than filtering on an equivalent String dimension (which has bitmap indices)

    Metrics

    Metrics are specified with a metricsSpec inside the dataSchema:

    1. "dataSchema" : {
    2. "dataSource" : "ingestion-tutorial",
    3. "timestampSpec" : {
    4. "format" : "iso",
    5. "column" : "ts"
    6. },
    7. "dimensionsSpec" : {
    8. "dimensions": [
    9. "srcIP",
    10. { "name" : "srcPort", "type" : "long" },
    11. { "name" : "dstIP", "type" : "string" },
    12. { "name" : "dstPort", "type" : "long" },
    13. { "name" : "protocol", "type" : "string" }
    14. ]
    15. },
    16. "metricsSpec" : [
    17. { "type" : "count", "name" : "count" },
    18. { "type" : "longSum", "name" : "packets", "fieldName" : "packets" },
    19. { "type" : "longSum", "name" : "bytes", "fieldName" : "bytes" },
    20. { "type" : "doubleSum", "name" : "cost", "fieldName" : "cost" }
    21. ],
    22. "granularitySpec" : {
    23. "rollup" : true
    24. }
    25. }

    When defining a metric, it is necessary to specify what type of aggregation should be performed on that column during rollup.

    Here we have defined long sum aggregations on the two long metric columns, packets and bytes, and a double sum aggregation for the cost column.

    Note that the metricsSpec is on a different nesting level than dimensionSpec or parseSpec; it belongs on the same nesting level as parser within the dataSchema.

    Note that we have also defined a count aggregator. The count aggregator will track how many rows in the original input data contributed to a “rolled up” row in the final ingested data.

    If we were not using rollup, all columns would be specified in the dimensionsSpec, e.g.:

    Define granularities

    At this point, we are done defining the parser and metricsSpec within the dataSchema and we are almost done writing the ingestion spec.

    • Type of granularitySpec: the uniform granularity spec defines segments with uniform interval sizes. For example, all segments cover an hour’s worth of data.
    • The segment granularity: what size of time interval should a single segment contain data for? e.g., DAY, WEEK
    • The bucketing granularity of the timestamps in the time column (referred to as queryGranularity)

    Segment granularity

    Segment granularity is configured by the segmentGranularity property in the granularitySpec. For this tutorial, we’ll create hourly segments:

    1. "dataSchema" : {
    2. "dataSource" : "ingestion-tutorial",
    3. "timestampSpec" : {
    4. "format" : "iso",
    5. "column" : "ts"
    6. },
    7. "dimensionsSpec" : {
    8. "dimensions": [
    9. "srcIP",
    10. { "name" : "srcPort", "type" : "long" },
    11. { "name" : "dstIP", "type" : "string" },
    12. { "name" : "protocol", "type" : "string" }
    13. ]
    14. },
    15. { "type" : "count", "name" : "count" },
    16. { "type" : "longSum", "name" : "packets", "fieldName" : "packets" },
    17. { "type" : "longSum", "name" : "bytes", "fieldName" : "bytes" },
    18. { "type" : "doubleSum", "name" : "cost", "fieldName" : "cost" }
    19. ],
    20. "granularitySpec" : {
    21. "type" : "uniform",
    22. "segmentGranularity" : "HOUR",
    23. "rollup" : true
    24. }
    25. }

    Our input data has events from two separate hours, so this task will generate two segments.

    Query granularity

    The query granularity is configured by the queryGranularity property in the granularitySpec. For this tutorial, let’s use minute granularity:

    1. "dataSchema" : {
    2. "dataSource" : "ingestion-tutorial",
    3. "timestampSpec" : {
    4. "format" : "iso",
    5. "column" : "ts"
    6. },
    7. "dimensionsSpec" : {
    8. "dimensions": [
    9. "srcIP",
    10. { "name" : "srcPort", "type" : "long" },
    11. { "name" : "dstIP", "type" : "string" },
    12. { "name" : "dstPort", "type" : "long" },
    13. { "name" : "protocol", "type" : "string" }
    14. ]
    15. },
    16. "metricsSpec" : [
    17. { "type" : "count", "name" : "count" },
    18. { "type" : "longSum", "name" : "packets", "fieldName" : "packets" },
    19. { "type" : "longSum", "name" : "bytes", "fieldName" : "bytes" },
    20. { "type" : "doubleSum", "name" : "cost", "fieldName" : "cost" }
    21. ],
    22. "granularitySpec" : {
    23. "type" : "uniform",
    24. "segmentGranularity" : "HOUR",
    25. "queryGranularity" : "MINUTE",
    26. "rollup" : true
    27. }
    28. }

    To see the effect of the query granularity, let’s look at this row from the raw input data:

    1. {"ts":"2018-01-01T01:03:29Z","srcIP":"1.1.1.1", "dstIP":"2.2.2.2", "srcPort":5000, "dstPort":7000, "protocol": 6, "packets":60, "bytes":6000, "cost": 4.3}

    When this row is ingested with minute queryGranularity, Druid will floor the row’s timestamp to minute buckets:

    1. {"ts":"2018-01-01T01:03:00Z","srcIP":"1.1.1.1", "dstIP":"2.2.2.2", "srcPort":5000, "dstPort":7000, "protocol": 6, "packets":60, "bytes":6000, "cost": 4.3}

    Define an interval (batch only)

    For batch tasks, it is necessary to define a time interval. Input rows with timestamps outside of the time interval will not be ingested.

    The interval is also specified in the granularitySpec:

    1. "dataSchema" : {
    2. "dataSource" : "ingestion-tutorial",
    3. "timestampSpec" : {
    4. "format" : "iso",
    5. "column" : "ts"
    6. },
    7. "dimensionsSpec" : {
    8. "dimensions": [
    9. "srcIP",
    10. { "name" : "srcPort", "type" : "long" },
    11. { "name" : "dstIP", "type" : "string" },
    12. { "name" : "dstPort", "type" : "long" },
    13. { "name" : "protocol", "type" : "string" }
    14. ]
    15. },
    16. "metricsSpec" : [
    17. { "type" : "count", "name" : "count" },
    18. { "type" : "longSum", "name" : "packets", "fieldName" : "packets" },
    19. { "type" : "longSum", "name" : "bytes", "fieldName" : "bytes" },
    20. { "type" : "doubleSum", "name" : "cost", "fieldName" : "cost" }
    21. ],
    22. "granularitySpec" : {
    23. "type" : "uniform",
    24. "segmentGranularity" : "HOUR",
    25. "queryGranularity" : "MINUTE",
    26. "intervals" : ["2018-01-01/2018-01-02"],
    27. "rollup" : true
    28. }
    29. }

    We’ve now finished defining our dataSchema. The remaining steps are to place the dataSchema we created into an ingestion task spec, and specify the input source.

    The dataSchema is shared across all task types, but each task type has its own specification format. For this tutorial, we will use the native batch ingestion task:

    1. {
    2. "type" : "index_parallel",
    3. "spec" : {
    4. "dataSchema" : {
    5. "dataSource" : "ingestion-tutorial",
    6. "timestampSpec" : {
    7. "format" : "iso",
    8. "column" : "ts"
    9. },
    10. "dimensionsSpec" : {
    11. "dimensions": [
    12. "srcIP",
    13. { "name" : "srcPort", "type" : "long" },
    14. { "name" : "dstIP", "type" : "string" },
    15. { "name" : "dstPort", "type" : "long" },
    16. { "name" : "protocol", "type" : "string" }
    17. ]
    18. },
    19. "metricsSpec" : [
    20. { "type" : "count", "name" : "count" },
    21. { "type" : "longSum", "name" : "packets", "fieldName" : "packets" },
    22. { "type" : "longSum", "name" : "bytes", "fieldName" : "bytes" },
    23. { "type" : "doubleSum", "name" : "cost", "fieldName" : "cost" }
    24. ],
    25. "granularitySpec" : {
    26. "type" : "uniform",
    27. "segmentGranularity" : "HOUR",
    28. "queryGranularity" : "MINUTE",
    29. "intervals" : ["2018-01-01/2018-01-02"],
    30. "rollup" : true
    31. }
    32. }
    33. }
    34. }

    Define the input source

    Now let’s define our input source, which is specified in an ioConfig object. Each task type has its own type of ioConfig. To read input data, we need to specify an inputSource. The example netflow data we saved earlier needs to be read from a local file, which is configured below:

    Since our input data is represented as JSON strings, we’ll use a inputFormat to json format:

    1. "ioConfig" : {
    2. "type" : "index_parallel",
    3. "inputSource" : {
    4. "type" : "local",
    5. "baseDir" : "quickstart/",
    6. "filter" : "ingestion-tutorial-data.json"
    7. },
    8. "inputFormat" : {
    9. "type" : "json"
    10. }
    1. {
    2. "type" : "index_parallel",
    3. "spec" : {
    4. "dataSource" : "ingestion-tutorial",
    5. "timestampSpec" : {
    6. "format" : "iso",
    7. "column" : "ts"
    8. },
    9. "dimensionsSpec" : {
    10. "dimensions": [
    11. "srcIP",
    12. { "name" : "srcPort", "type" : "long" },
    13. { "name" : "dstIP", "type" : "string" },
    14. { "name" : "dstPort", "type" : "long" },
    15. { "name" : "protocol", "type" : "string" }
    16. ]
    17. },
    18. "metricsSpec" : [
    19. { "type" : "count", "name" : "count" },
    20. { "type" : "longSum", "name" : "packets", "fieldName" : "packets" },
    21. { "type" : "longSum", "name" : "bytes", "fieldName" : "bytes" },
    22. { "type" : "doubleSum", "name" : "cost", "fieldName" : "cost" }
    23. ],
    24. "granularitySpec" : {
    25. "type" : "uniform",
    26. "segmentGranularity" : "HOUR",
    27. "queryGranularity" : "MINUTE",
    28. "intervals" : ["2018-01-01/2018-01-02"],
    29. "rollup" : true
    30. }
    31. },
    32. "ioConfig" : {
    33. "type" : "index_parallel",
    34. "inputSource" : {
    35. "type" : "local",
    36. "baseDir" : "quickstart/",
    37. "filter" : "ingestion-tutorial-data.json"
    38. },
    39. "inputFormat" : {
    40. "type" : "json"
    41. }
    42. }
    43. }
    44. }

    Each ingestion task has a tuningConfig section that allows users to tune various ingestion parameters.

    As an example, let’s add a tuningConfig that sets a target segment size for the native batch ingestion task:

    1. "tuningConfig" : {
    2. "type" : "index_parallel",
    3. "partitionsSpec": {
    4. "type": "dynamic",
    5. "maxRowsPerSegment" : 5000000
    6. }
    7. }

    Note that each ingestion task has its own type of tuningConfig.

    Final spec

    We’ve finished defining the ingestion spec, it should now look like the following:

    1. {
    2. "type" : "index_parallel",
    3. "spec" : {
    4. "dataSchema" : {
    5. "dataSource" : "ingestion-tutorial",
    6. "timestampSpec" : {
    7. "format" : "iso",
    8. "column" : "ts"
    9. },
    10. "dimensionsSpec" : {
    11. "dimensions": [
    12. "srcIP",
    13. { "name" : "srcPort", "type" : "long" },
    14. { "name" : "dstIP", "type" : "string" },
    15. { "name" : "dstPort", "type" : "long" },
    16. { "name" : "protocol", "type" : "string" }
    17. ]
    18. },
    19. "metricsSpec" : [
    20. { "type" : "count", "name" : "count" },
    21. { "type" : "longSum", "name" : "packets", "fieldName" : "packets" },
    22. { "type" : "longSum", "name" : "bytes", "fieldName" : "bytes" },
    23. { "type" : "doubleSum", "name" : "cost", "fieldName" : "cost" }
    24. ],
    25. "granularitySpec" : {
    26. "type" : "uniform",
    27. "segmentGranularity" : "HOUR",
    28. "queryGranularity" : "MINUTE",
    29. "intervals" : ["2018-01-01/2018-01-02"],
    30. "rollup" : true
    31. }
    32. },
    33. "ioConfig" : {
    34. "type" : "index_parallel",
    35. "inputSource" : {
    36. "type" : "local",
    37. "baseDir" : "quickstart/",
    38. "filter" : "ingestion-tutorial-data.json"
    39. },
    40. "inputFormat" : {
    41. "type" : "json"
    42. }
    43. },
    44. "tuningConfig" : {
    45. "type" : "index_parallel",
    46. "partitionsSpec": {
    47. "type": "dynamic",
    48. "maxRowsPerSegment" : 5000000
    49. }
    50. }
    51. }
    52. }

    From the apache-druid-24.0.2 package root, run the following command:

    1. bin/post-index-task --file quickstart/ingestion-tutorial-index.json --url http://localhost:8081

    After the script completes, we will query the data.

    Let’s run bin/dsql and issue a select * from "ingestion-tutorial"; query to see what data was ingested.

    1. $ bin/dsql
    2. Welcome to dsql, the command-line client for Druid SQL.
    3. Type "\h" for help.
    4. dsql> select * from "ingestion-tutorial";
    5. ┌──────────────────────────┬───────┬──────┬───────┬─────────┬─────────┬─────────┬──────────┬─────────┬─────────┐
    6. __time bytes cost count dstIP dstPort packets protocol srcIP srcPort
    7. ├──────────────────────────┼───────┼──────┼───────┼─────────┼─────────┼─────────┼──────────┼─────────┼─────────┤
    8. 2018-01-01T01:01:00.000Z 6000 4.9 3 2.2.2.2 3000 60 6 1.1.1.1 2000
    9. 2018-01-01T01:02:00.000Z 9000 18.1 2 2.2.2.2 7000 90 6 1.1.1.1 5000
    10. 2018-01-01T01:03:00.000Z 6000 4.3 1 2.2.2.2 7000 60 6 1.1.1.1 5000
    11. 2018-01-01T02:33:00.000Z 30000 56.9 2 8.8.8.8 5000 300 17 7.7.7.7 4000
    12. 2018-01-01T02:35:00.000Z 30000 46.3 1 8.8.8.8 5000 300 17 7.7.7.7 4000
    13. └──────────────────────────┴───────┴──────┴───────┴─────────┴─────────┴─────────┴──────────┴─────────┴─────────┘
    14. Retrieved 5 rows in 0.12s.
    15. dsql>