Data inconsistencty shown in ELK

Ravi_Pattar · January 12, 2024, 1:54pm

Hello,

I am running with ELK version 7.17.15.

# curl -X GET "localhost:9200"
{
  "name" : "ip",
  "cluster_name" : "name",
  "cluster_uuid" : "uudi",
  "version" : {
    "number" : "7.17.15",
    "build_flavor" : "default",
    "build_type" : "deb",

Till now I was focusing on indices/index name starting with filebeat-7.17.15-2024.* when I checked using the curl on a CLI interface. e.g. as below

# curl -X GET "localhost:9200/_cat/indices/filebeat-7*?v"
health status index                              uuid                   pri rep docs.count docs.deleted store.size pri.store.size
yellow open   filebeat-7.17.15-2024.01.04        3ovJP1iaR5-rvPzKv3ICWg   1   1       9966            0      5.6mb          5.6mb
yellow open   filebeat-7.17.15-2024.01.05        3D9py_93SAiRnmA63Zx0-A   1   1       9982            0      5.5mb          5.5mb
yellow open   filebeat-7.17.15-2024.01.05-000003 FYZvGtomSV6078M5CuBLdQ   1   1          0            0       227b           227b
yellow open   filebeat-7.17.15-2024.01.02        F7sCgm1UQICJ4A81efl2Pw   1   1       9877            0      5.5mb          5.5mb
yellow open   filebeat-7.17.15-2024.01.12-000004 CFwxqiECQvaMcMvQ59G4Zg   1   1          0            0       227b           227b

Currently I am seeing there index name starting with filebeat-8.10.4-2024.01.12 and filebeat-8.11.2-2024.01.12. I am not sure if I am overlooking into this pattern?

# curl -X GET "localhost:9200/_cat/indices/filebeat-8*?v"
health status index                      uuid                   pri rep docs.count docs.deleted store.size pri.store.size
yellow open   filebeat-8.11.2-2024.01.12 ATocymT0SVy1sYqYmivaxg   1   1     731290            0    334.7mb        334.7mb
yellow open   filebeat-8.11.2-2024.01.10 XDvtmU6_QPKLhg2gq2HHVA   1   1    1780126            0    582.7mb        582.7mb
yellow open   filebeat-8.11.2-2024.01.11 4CmGRMeURxGMyatRaPf-Wg   1   1    1763247            0    578.6mb        578.6mb
yellow open   filebeat-8.11.1-2024.01.08 -IG4ycCMRZaA1RFvDAzI1g   1   1   18836608            0      8.5gb          8.5gb

Please someone could suggest on why?

Thanks,

leandrojmp · January 12, 2024, 1:59pm

Hello,

It is not clear what is the inconsistency here and what is your issue.

If you have indices that start with filebeat-7.17.15-*, this means that you have some filebeat 7.17.15 sending logs to your cluster.

The same thing happens for indices starting with filebeat-8.*, you have some filebeat instance on these specific versions sending logs to your cluster.

Ravi_Pattar · January 12, 2024, 2:08pm

Hello.

Thanks, I understood.

Question: This is a single node solution and when I checked the filebeat version it specifies as below mentioned.

filebeat version

filebeat version 7.17.15 (arm64), libbeat 7.17.15 [xxxx built 2023-11-08 19:08:34 +0000 UTC]

I will check at the client end if anything or any client server has been added and has fb version 8.x installed. correct me if I am wrong here.

Thanks,

leandrojmp · January 12, 2024, 2:11pm

As mentioned, y ou have filebeat instances on version 8 sending logs to your cluster.

You can look in Kibana in the dataview for your filebeat logs and filter by the index name to know more about those logs and maybe identify the source.

Ravi_Pattar · February 2, 2024, 3:50pm

Thank you @leandrojmp This helped a lot and was able to fetch the details on identifying the source and the logs path.

Thanks,
Ravi

system · March 1, 2024, 3:51pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.