rewrite guide

Blargian · Blargian · commit 74b2a934f634 · 2025-10-24T19:48:34.000+02:00
diff --git a/docs/integrations/data-ingestion/etl-tools/vector-to-clickhouse.md b/docs/integrations/data-ingestion/etl-tools/vector-to-clickhouse.md
@@ -18,12 +18,15 @@ import PartnerBadge from '@theme/badges/PartnerBadge';
 <PartnerBadge/>
 
 Being able to analyze your logs in real time is critical for production applications.
-Have you ever wondered if ClickHouse is good at storing and analyzing log data?
-Just checkout [Uber's experience](https://eng.uber.com/logging/) with converting their logging infrastructure from ELK to ClickHouse.
+ClickHouse excels at storing and analyzing log data due to it's excellent compression (up to [170x](https://clickhouse.com/blog/log-compression-170x) for logs)
+and ability to aggregate large amounts of data quickly.
 
 This guide shows you how to use the popular data pipeline [Vector](https://vector.dev/docs/about/what-is-vector/) to tail an Nginx log file and send it to ClickHouse.
-The steps below would be similar for tailing any type of log file.
-We will assume you already have ClickHouse up and running and Vector installed (no need to start it yet though).
+The steps below are similar for tailing any type of log file.
+
+**Prerequisites:**
+- You already have ClickHouse up and running
+- You have Vector installed
 
 <VerticalStepper headerLevel="h2">
 
@@ -47,15 +50,16 @@ ENGINE = MergeTree()
 ORDER BY tuple()
 ```
 
- :::note
- **ORDER BY** is set to **tuple()** (an empty tuple) as there is no need for a primary key yet.
- :::
+:::note
+**ORDER BY** is set to **tuple()** (an empty tuple) as there is no need for a primary key yet.
+:::
 
 ## Configure Nginx {#2--configure-nginx}
 
-We certainly do not want to spend too much time explaining Nginx, but we also do not want to hide all the details, so in this step we will provide you with enough details to get Nginx logging configured.
+In this step, you will be shown how to get Nginx logging configured.
 
-1. The following `access_log` property sends logs to `/var/log/nginx/my_access.log` in the **combined** format. This value goes in the `http` section of your `nginx.conf` file:
+1. The following `access_log` property sends logs to `/var/log/nginx/my_access.log` in the **combined** format.
+This value goes in the `http` section of your `nginx.conf` file:
     
 ```bash
 http {
@@ -70,125 +74,154 @@ http {
 
 2. Be sure to restart Nginx if you had to modify `nginx.conf`.
 
-3. Generate some log events in the access log by visiting pages on your web server. Logs in the **combined** format have the following format:
-    ```bash
-    192.168.208.1 - - [12/Oct/2021:03:31:44 +0000] "GET / HTTP/1.1" 200 615 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36"
-    192.168.208.1 - - [12/Oct/2021:03:31:44 +0000] "GET /favicon.ico HTTP/1.1" 404 555 "http://localhost/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36"
-    192.168.208.1 - - [12/Oct/2021:03:31:49 +0000] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36"
-    ```
+3. Generate some log events in the access log by visiting pages on your web server.
+Logs in the **combined** format look as follows:
+
+ ```bash
+ 192.168.208.1 - - [12/Oct/2021:03:31:44 +0000] "GET / HTTP/1.1" 200 615 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36"
+ 192.168.208.1 - - [12/Oct/2021:03:31:44 +0000] "GET /favicon.ico HTTP/1.1" 404 555 "http://localhost/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36"
+ 192.168.208.1 - - [12/Oct/2021:03:31:49 +0000] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36"
+ ```
 
 ## Configure Vector {#3-configure-vector}
 
-Vector collects, transforms and routes logs, metrics, and traces (referred to as **sources**) to lots of different vendors (referred to as **sinks**), including out-of-the-box compatibility with ClickHouse. Sources and sinks are defined in a configuration file named **vector.toml**.
+Vector collects, transforms and routes logs, metrics, and traces (referred to as **sources**) to many different vendors (referred to as **sinks**), including out-of-the-box compatibility with ClickHouse.
+Sources and sinks are defined in a configuration file named **vector.toml**.
+
+1. The following **vector.toml** file defines a **source** of type **file** that tails the end of **my_access.log**, and it also defines a **sink** as the **access_logs** table defined above:
+
+```bash
+[sources.nginx_logs]
+type = "file"
+include = [ "/var/log/nginx/my_access.log" ]
+read_from = "end"
+
+[sinks.clickhouse]
+type = "clickhouse"
+inputs = ["nginx_logs"]
+endpoint = "http://clickhouse-server:8123"
+database = "nginxdb"
+table = "access_logs"
+skip_unknown_fields = true
+```
 
-1. The following **vector.toml** defines a **source** of type **file** that tails the end of **my_access.log**, and it also defines a **sink** as the **access_logs** table defined above:
-    ```bash
-    [sources.nginx_logs]
-    type = "file"
-    include = [ "/var/log/nginx/my_access.log" ]
-    read_from = "end"
+2. Start Vector using the configuration above. Visit the Vector [documentation](https://vector.dev/docs/) for more details on defining sources and sinks.
 
-    [sinks.clickhouse]
-    type = "clickhouse"
-    inputs = ["nginx_logs"]
-    endpoint = "http://clickhouse-server:8123"
-    database = "nginxdb"
-    table = "access_logs"
-    skip_unknown_fields = true
-    ```
+3. Verify that the access logs are being inserted into ClickHouse by running the following query. You should see the access logs in your table:
 
-2. Start up Vector using the configuration above. <a href="https://vector.dev/docs/" target="_blank">Visit the Vector documentation</a> for more details on defining sources and sinks.
+```sql
+SELECT * FROM nginxdb.access_logs
+```
 
-3. Verify the access logs are being inserted into ClickHouse. Run the following query and you should see the access logs in your table:
-    ```sql
-    SELECT * FROM nginxdb.access_logs
-    ```
-    <Image img={vector01} size="lg" border alt="View ClickHouse logs in table format" />
+<Image img={vector01} size="lg" border alt="View ClickHouse logs in table format" />
 
 ## Parse the Logs {#4-parse-the-logs}
 
-Having the logs in ClickHouse is great, but storing each event as a single string does not allow for much data analysis. Let's see how to parse the log events using a materialized view.
-
-1. A **materialized view** (MV, for short) is a new table based on an existing table, and when inserts are made to the existing table, the new data is also added to the materialized view. Let's see how to define a MV that contains a parsed representation of the log events in **access_logs**, in other words:
-    ```bash
-    192.168.208.1 - - [12/Oct/2021:15:32:43 +0000] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36"
-    ```
-
-    There are various functions in ClickHouse to parse the string, but for starters let's take a look at **splitByWhitespace** - which parses a string by whitespace and returns each token in an array. To demonstrate, run the following command:
-    ```sql
-    SELECT splitByWhitespace('192.168.208.1 - - [12/Oct/2021:15:32:43 +0000] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36"')
-    ```
-
-    Notice the response is pretty close to what we want! A few of the strings have some extra characters, and the user agent (the browser details) did not need to be parsed, but we will resolve that in the next step:
-    ```text
-    ["192.168.208.1","-","-","[12/Oct/2021:15:32:43","+0000]","\"GET","/","HTTP/1.1\"","304","0","\"-\"","\"Mozilla/5.0","(Macintosh;","Intel","Mac","OS","X","10_15_7)","AppleWebKit/537.36","(KHTML,","like","Gecko)","Chrome/93.0.4577.63","Safari/537.36\""]
-    ```
-
-2. Similar to **splitByWhitespace**, the **splitByRegexp** function splits a string into an array based on a regular expression. Run the following command, which returns two strings.
-    ```sql
-    SELECT splitByRegexp('\S \d+ "([^"]*)"', '192.168.208.1 - - [12/Oct/2021:15:32:43 +0000] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36"')
-    ```
-
-    Notice the second string returned is the user agent successfully parsed from the log:
-    ```text
-    ["192.168.208.1 - - [12/Oct/2021:15:32:43 +0000] \"GET / HTTP/1.1\" 30"," \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36\""]
-    ```
-
-3. Before looking at the final **CREATE MATERIALIZED VIEW** command, let's view a couple more functions used to cleanup the data. For example, the `RequestMethod` looks like **"GET** with an unwanted double-quote. Run the following **trim** function, which removes the double quote:
-    ```sql
-    SELECT trim(LEADING '"' FROM '"GET')
-    ```
-
-4. The time string has a leading square bracket, and also is not in a format that ClickHouse can parse into a date. However, if we change the separator from a colon (**:**) to a comma (**,**) then the parsing works great:
-    ```sql
-    SELECT parseDateTimeBestEffort(replaceOne(trim(LEADING '[' FROM '[12/Oct/2021:15:32:43'), ':', ' '))
-    ```
-
-5. We are now ready to define our materialized view. Our definition includes **POPULATE**, which means the existing rows in **access_logs** will be processed and inserted right away. Run the following SQL statement:
-    ```sql
-    CREATE MATERIALIZED VIEW nginxdb.access_logs_view
-    (
-        RemoteAddr String,
-        Client String,
-        RemoteUser String,
-        TimeLocal DateTime,
-        RequestMethod String,
-        Request String,
-        HttpVersion String,
-        Status Int32,
-        BytesSent Int64,
-        UserAgent String
-    )
-    ENGINE = MergeTree()
-    ORDER BY RemoteAddr
-    POPULATE AS
-    WITH
-        splitByWhitespace(message) as split,
-        splitByRegexp('\S \d+ "([^"]*)"', message) as referer
-    SELECT
-        split[1] AS RemoteAddr,
-        split[2] AS Client,
-        split[3] AS RemoteUser,
-        parseDateTimeBestEffort(replaceOne(trim(LEADING '[' FROM split[4]), ':', ' ')) AS TimeLocal,
-        trim(LEADING '"' FROM split[6]) AS RequestMethod,
-        split[7] AS Request,
-        trim(TRAILING '"' FROM split[8]) AS HttpVersion,
-        split[9] AS Status,
-        split[10] AS BytesSent,
-        trim(BOTH '"' from referer[2]) AS UserAgent
-    FROM
-        (SELECT message FROM nginxdb.access_logs)
-    ```
-
-6. Now verify it worked. You should see the access logs nicely parsed into columns:
-    ```sql
-    SELECT * FROM nginxdb.access_logs_view
-    ```
-    <Image img={vector02} size="lg" border alt="View parsed ClickHouse logs in table format" />
-
-    :::note
-    The lesson above stored the data in two tables, but you could change the initial `nginxdb.access_logs` table to use the **Null** table engine - the parsed data will still end up in the `nginxdb.access_logs_view` table, but the raw data will not be stored in a table.
-    :::
+Having the logs in ClickHouse is great, but storing each event as a single string does not allow for much data analysis.
+We'll next look at how to parse the log events using a [materialized view](/materialized-view/incremental-materialized-view).
+
+A **materialized view** functions similarly to an insert trigger in SQL. When rows of data are inserted into a source table, the materialized view makes some transformation of these rows and inserts the results into a target table.
+The materialized view can be configured to configure a parsed representation of the log events in **access_logs**.
+An example of one such log event is shown below:
+
+```bash
+192.168.208.1 - - [12/Oct/2021:15:32:43 +0000] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36"
+```
+
+There are various functions in ClickHouse to parse the above string. The [`splitByWhitespace`](/sql-reference/functions/splitting-merging-functions#splitByWhitespace) function parses a string by whitespace and returns each token in an array.
+To demonstrate, run the following command:
+
+```sql title="Query"
+SELECT splitByWhitespace('192.168.208.1 - - [12/Oct/2021:15:32:43 +0000] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36"')
+```
+
+```text title="Response"
+["192.168.208.1","-","-","[12/Oct/2021:15:32:43","+0000]","\"GET","/","HTTP/1.1\"","304","0","\"-\"","\"Mozilla/5.0","(Macintosh;","Intel","Mac","OS","X","10_15_7)","AppleWebKit/537.36","(KHTML,","like","Gecko)","Chrome/93.0.4577.63","Safari/537.36\""]
+```
+
+A few of the strings have some extra characters, and the user agent (the browser details) did not need to be parsed, but
+the resulting array is close to what is needed.
+
+Similar to `splitByWhitespace`, the [`splitByRegexp`](/sql-reference/functions/splitting-merging-functions#splitByRegexp) function splits a string into an array based on a regular expression.
+Run the following command, which returns two strings.
+
+```sql
+SELECT splitByRegexp('\S \d+ "([^"]*)"', '192.168.208.1 - - [12/Oct/2021:15:32:43 +0000] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36"')
+```
+
+Notice that the second string returned is the user agent successfully parsed from the log:
+
+```text
+["192.168.208.1 - - [12/Oct/2021:15:32:43 +0000] \"GET / HTTP/1.1\" 30"," \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36\""]
+```
+
+Before looking at the final `CREATE MATERIALIZED VIEW` command, let's view a couple more functions used to clean up the data.
+For example, the value of `RequestMethod` is `"GET` containing an unwanted double-quote.
+You can use the [`trim`](/sql-reference/functions/string-functions#trim) function to remove the double quote:
+
+```sql
+SELECT trim(LEADING '"' FROM '"GET')
+```
+
+The time string has a leading square bracket, and is also not in a format that ClickHouse can parse into a date.
+However, if we change the separator from a colon (**:**) to a comma (**,**) then the parsing works great:
+
+```sql
+SELECT parseDateTimeBestEffort(replaceOne(trim(LEADING '[' FROM '[12/Oct/2021:15:32:43'), ':', ' '))
+```
+
+We are now ready to define the materialized view.
+The definition below includes `POPULATE`, which means the existing rows in **access_logs** will be processed and inserted right away.
+Run the following SQL statement:
+
+```sql
+CREATE MATERIALIZED VIEW nginxdb.access_logs_view
+(
+  RemoteAddr String,
+  Client String,
+  RemoteUser String,
+  TimeLocal DateTime,
+  RequestMethod String,
+  Request String,
+  HttpVersion String,
+  Status Int32,
+  BytesSent Int64,
+  UserAgent String
+)
+ENGINE = MergeTree()
+ORDER BY RemoteAddr
+POPULATE AS
+WITH
+  splitByWhitespace(message) as split,
+  splitByRegexp('\S \d+ "([^"]*)"', message) as referer
+SELECT
+  split[1] AS RemoteAddr,
+  split[2] AS Client,
+  split[3] AS RemoteUser,
+  parseDateTimeBestEffort(replaceOne(trim(LEADING '[' FROM split[4]), ':', ' ')) AS TimeLocal,
+  trim(LEADING '"' FROM split[6]) AS RequestMethod,
+  split[7] AS Request,
+  trim(TRAILING '"' FROM split[8]) AS HttpVersion,
+  split[9] AS Status,
+  split[10] AS BytesSent,
+  trim(BOTH '"' from referer[2]) AS UserAgent
+FROM
+  (SELECT message FROM nginxdb.access_logs)
+```
+
+Now verify it worked.
+You should see the access logs nicely parsed into columns:
+
+```sql
+SELECT * FROM nginxdb.access_logs_view
+```
+
+<Image img={vector02} size="lg" border alt="View parsed ClickHouse logs in table format" />
+
+:::note
+The lesson above stored the data in two tables, but you could change the initial `nginxdb.access_logs` table to use the [`Null`](/engines/table-engines/special/null) table engine.
+The parsed data will still end up in the `nginxdb.access_logs_view` table, but the raw data will not be stored in a table.
+:::
 
 </VerticalStepper>
 
