Member since
07-30-2019
3472
Posts
1642
Kudos Received
1020
Solutions
My Accepted Solutions
| Title | Views | Posted |
|---|---|---|
| 205 | 06-03-2026 06:06 PM | |
| 495 | 05-06-2026 09:16 AM | |
| 949 | 05-04-2026 05:20 AM | |
| 552 | 05-01-2026 10:15 AM | |
| 671 | 03-23-2026 05:44 AM |
05-27-2021
08:24 AM
@Rupesh_Raghani Since templates reside in NiFi heap, they should only be uploaded to the NiFi for the purpose of instantiating that template to the canvas. Once instantiate on to the canvas, the template should be deleted from the NiFi, so it is no longer holding that memory space. In addition to uploaded templates consuming heap memory space, so does everything build on the canvas (including controller services, and reporting tasks.). Additionally the metrics for each component also reside within heap memory space. Additionally, all FlowFiles queued (except large queues resulting in swap files) will also reside in the NiFi JVM heap memory space. How much heap each FlowFile consumes is driven by the number and size of the FlowFile attributes on each FlowFile (FlowFile content does not reside in heap memory except when a processor needs to do so to perform its task and not all processors need to touch the content at all and other may also read it without needing to hold it in heap if it is streaming it somewhere else.). The impact on heap various based on what components are being used and how many. If your flow grow extremely large, it may be a case of breaking those flows to be managed by Multiple NiFi clusters. NiFi flow templates will become a deprecated capability in favor of NiFi-Registry. You can version control your flows in to NiFi-Registry. All NiFi's connected to this NiFi-Registry can then load Flows from NiFi-Registry to the canvas (one or more times). I am not sure what you are looking for with regards to "How does it manage individual processors in memory?" All processors residing within the canvas and within templates will reside in the JVM heap memory space. If you find this helps with yoru query, please take a moment to login and click "ACCEPT" on this solution. Thank you, Matt
... View more
05-24-2021
06:24 AM
@Chakkara The more detail you can provide, the better we may be able to assist. Are you using custom processors? NiFi does not come with a ReplaceAttribute processor. I am assuming your flow may actually be using: GetFile (deprecated processor in favor of the listFile and FetchFile processors) --> UpdateAttribute --> ExtractText --> RouteOnAttribute --> putSQL Can you share the configuration you are currently using on the above processors, so we can see what you are doing now? Perhaps you only need a few tweaks to your current design. Thanks, Matt
... View more
05-21-2021
01:46 PM
@SAMSAL Sounds like you are very close... The 403 has nothing to do with authentication, but rather authorization. This eludes to the fact that the client was able to be properly trusted through the mutual TLS handshake, but when that resulting client string was checked against the endpoint policy being checked it was not present, thus resulting in a 403 response. The DN is the DistinquishedName for your certificate. You can use the below command to get the verbose details on the certs added to a keystore: keytool -v -list -keystore <keystore.jks or truststore.jks> You will see that each certificate has either type "PrivateKeyEntry" or "TrustedCertEntry" For each certificate you will see an "Owner" and an "Issuer" For each of those it will show the complete DN which would look something like: CN=<some string>, OU=<some string>, DC=<some string> There are numerous parts that can be part (CN, OU, O, ST, DC, etc.) of a DN and various lengths The "Owner" DN for the PrivateKeyEntry is what is used as the client/user authenticated string after the successful mutual TLS handshake. The nifi.properties file has optional ideNtity.mapping properties that can be configured to trim and manipulated these identity strings (for example pulling our on the string from the CN). With nifi.remote.input.secure= set to false, FlowFiles send over S2S will not be over a TLS encrypted connection. The fact that you say it works when you have this set to false and you can still successfully obtain S2S details from the configured https:// secured NiFi Destination URL tells me that authentication is correct for "Retrieve site-to-site details" NiFi policy. That only leaves having incorrect policy setup for your remote input port. You should open a command prompt on each node and "tail -F /<path to>/nifi-user.log". Then enable your controller services and check the logs being tailed for the authorization exception. It should clearly show you the "string" being checked against the "receive data via site-to-site" endpoint which in the log would look like "/data-transfer/input-ports/<uuid of remote input port>". Also remember that you are NOT authorizing your user to any of these S2S policies, but rather the DN or identity mapped DN string. Really hope this helps you get fully secured here. Matt
... View more
05-20-2021
03:25 PM
@karthikraja @Seedy Parameter Contexts are still relatively new. There is an existing improvement Jira for exactly what you are looking for here that is currently in development. NIFI-8487 Unfortunately, there is not workaround or alternative to what you are trying to achieve other than recreating those common parameters in every parameter context you create currently. If you found this query addressed your question, please take a moment to login and click accept on this solution. Thank you, Matt
... View more
05-20-2021
03:16 PM
@SAMSAL NiFi Site-To-SIte (S2S) components perform to things: 1. A background process runs every 30 seconds which connects to the target URL entered (In this case https://localhost:9443/nifi ) to retrieve S2S details. These details include details like how many nodes in target NiFi cluster, hostnames for those target NiFi nodes, load on those nodes, if those nodes support http and/or RAW transport protocols, What remote input ports exist that this source node is authorized to see, etc... S2S details are always fetched over HTTP even if you set transport protocol to RAW. 2. Then the source NiFi uses this data to actually sent content over S2S to all the target nifi nodes in a distributed fashion. Since your target is a https, the first thing that needs to happen is a Mutual TLS handshake. That means the keystore configured in the SSL Context service must contain a PrivateKeyEntry that support an EKU with "clientAuth". The target NiFi which is probably returned a FQDN via those S2S details, will also send its server certificate to the client. That means the truststore configured in your sslContextService must contain the complete trust chain for that certificate. That server certificate which comes from the keystore in the nifi.properties file on the target NiFi must contain a single PrivateKeyEntry with a EKU that supports "serverAuth" and must also have a SAN that matches the hostname used to connect with. The target NiFi's truststore configured in its nifi.properties file must also contain the complete trust chain for that client certificate presented from the sslContextService. So if all the above is properly in place, and I would guess it is since you are trying to S2S back to same NiFi cluster/instance and are probably using same keystore and truststore in your SSLContextService as is configured in the nifi.properties file, that those files are good. I would however be concerned with your use of "localhost" as the target URL because I doubt the server certificate sent in that TLS handshake is going to have a SAN entry that contains "localhost". You should instead provide the actual hostname for that target NiFi. It is fine and common to use localhost in the "instance URL"field as that is only used to identify the host that sent the FlowFile to the target InputPort. The only other statement that stands out to me is "The user created by securing the instance has the policy "retrieve site-to-site details"." NiFi authentication and authorization is setup to control what users are allowed to do once they access a secured NiFi UI. The components that are added by the authorized user do not execute as that authenticated user. All components execute as the NiFi service user. In that case of this S2S reporting task, it is executing as the NiFi service user but authenticating to the target through that mutual LS handshake, which means the DN form that clientAuth certificate is going to be the user that needs to be authorized for both the "retrieve Site-To-Site details" and "receive data via site-to-site" NiFi authorization policies. I know there is a lot of information here and hope it is clear. If you found this addressed your query, please take a moment to login and click accept on this solution. Thank you, Matt
... View more
05-20-2021
02:48 PM
1 Kudo
@leandrolinof NiFi Expression Language (NEL) [1] does not read content of the FlowFile. The RouteOnAttribute processor never looks at the content of a FlowFile. So verify your source FlowFile has attributes set with valid numeric only values. So your inbound FlowFile would need to have two attributes on it already: 1. cont 2. CONTADOR Note: NiFi is case sensitive as well. And both these attributes need to have assigned values to them. The NEL statement you have will return the value assigned to the FlowFile attribute "cont" and check to see if it is less than the value assigned to the FlowFile attribute "CONTADOR". If that resolves to "True", the FlowFile will be routed to the connection containing the new dynamically created "CONTINUE" relationship. Otherwise, it will route to the "unmatched" relationship which you appear to have auto-terminated. [1] https://nifi.apache.org/docs/nifi-docs/html/expression-language-guide.html If you found this addressed your query, please take a moment to login and click accept on this solution. Thank you, Matt
... View more
05-20-2021
02:20 PM
@Acbx You should be able to easily do this based on your example easily with the ReplaceText processor configured as follows: If you found this addressed your query, please take a moment to login and click accept on the solution. Thank you, Matt
... View more
05-20-2021
01:42 PM
@leandrolinof The NiFi merge processor is working exactly as designed. Binary concatenation simply appends the content from one FlowFile to the end of the previous FlowFIle's content. You are trying to perform a special formatted merge. There is no way to configure the mergeContent processor with custom merge logic. I am not clear on the what the content looks like at the various stages of your dataflow. You mention merging FlowFiles from two streams; however, the flow screenshot you shared as 3 flow streams leading to the MergeContent processor. Are you saying the content of a FlowFile down one path is exactly this: Flow 1 (
{"cod": 1}
{"cod": 2}
{"cod": 3}) and on the other path it is exactly this: Flow 2 (
{"error": "error 1"}
{"error": "error 2"}
{"error": "error 3"}) or is it just the json objects without the "flow <num> ( )" wrapped around it? I am guessing above is what is extracted from the invokeHTTP response content? What does the FlowFile content look like on that third path before it reaches MergeContent? I might be helpful with examples of content post InvokeHTTP on all three paths and then what the exact mergeContent based on that example you would want to see. What logic can be get from the above two flows that tells us the first "cod" goes with the first "error"? So if we were to split each into three separate FlowFiles, would there be a way to determine what cod should go with what error? The ExecuteSQL processor configuration you shared is using NiFi Expression Language (NEL). NEL does not read from a FlowFiles content. ${cod} and ${erros} will looks for attributes with these names created on FlowFile and replace that with the values assigned to those attributes. If those FlowFile Attributes do not exist on the FlowFile, NEL will check the variable registry for those attribute strings. Hope this helps give you some direction with your dataflow design journey here. Matt
... View more
05-20-2021
06:17 AM
@Kilynn The following property in the nifi.properties file controls when a swap file is created per connection. nifi.queue.swap.threshold=20000 This is per connection and not for all FlowFiles across all connections. A FlowFile swap file will always consist of 10000 FlowFiles. So if a connection reaches 20000 queued FlowFiles, a swap file will be created for 10000 of those. So if a connection queue reaches 40000, you would have 3 swap files of that connection. You can control individual connection queues by setting the "Back pressure Object Threshold" on a connection: Note: Threshold settings are soft limits And default for object threshold is 10000. So with these settings there should be very little to no swapping of FlowFiles to disk happening at all. Swap files would only happen if source processor to that connection output enough FlowFiles to connection at one time to trigger a swap file. For example: - Connection has 9000 queued FlowFiles, so back pressure is not being applied. - Source processor is thus allowed to execute - Source processor upon execution produces 12000 FlowFiles - now downstream connection has 21000 queued FlowFiles. One swap file is produced and back pressure is enabled until queue drops back below 10000 queued FlowFiles. FlowFiles consist of two parts (FlowFile attributes/metadata and FlowFileContent). The only portion of a FlowFile held in heap memory is the FlowFile attributes/Metadata. FlowFile content is never held in memory (Some processors may load content in to memory in order to perform their function only). FlowFile attributes/metadata is persisted to the flowfile repository and FlowFile content is written to the content repository. This important to avoid data loss if NiFi dies or is restarted while data still exists in connection queues. If you found this helped with your query, please take a moment to login and click accept in the solutions that helped. Thank you, Matt
... View more
05-17-2021
05:52 AM
@leandrolinof The exception indicates "unable to unmarshal JSON to an object" which is commonly thrown when there is an issue with the source FlowFile content. For examples some unescaped Unicode characters like whitespace. I'd inspect you source content. I see in your dataflow that you have a convertAvrotoJson processor that took in a 2.08 KB content source FlowFile and output only a 2 byte content FlowFile. Then later a ReplaceText processor that takes that 2 byte content and output 78 bytes. So you'll want to inspect the content output there just before your JoltTransformJson processor. NiFi processor bulletins which you have shared will not return stack traces that may be produced by processor. Always best to check the nifi-app.log when you see a bulletin to see if maybe there is additional log output that can be helpful as well. Hope this helps, Matt
... View more