I am seeing an odd issue. When I load a batch of documents to a 1-node ELK server via Filebeat, the count of documents appears to be correct when loading to indexes with 1 shard. But when indexes with 5 shards are created, the document counts are slightly higher. I've verified the counts for the 1 shard indexes to be correct by using Filebeat to write these same documents locally to a text file -- the counts match with what is in ES.
Here are some sample to provide a sense for how the counts are different.
@jasontedor No problem. Sorry for not being clearer earlier. I did a number of full runs -- some with 1 shard indexes and one with 5 shard indexes. Between each run I deleted all my indexes in Elasticsearch and deleted the Filebeat registry to cause everything to re-process from scratch. The counts I'm using are taken from the results of curl 'localhost:9200/_cat/indices?v'. Thanks.
@jasontedor Unfortunately I don't have an field in my data that is unique. (It's log data, and I've checked and there are naturally some dups.) Is there a way to add a unique field (say during Logstash or Filebeat processing)? I can do so if you give me some guidance on how. What I've done so far is the result of hundreds of Google searches, so my understanding is hardly "well rounded"
Not totally sure what you're asking for with the GET /_search -d '{}'. That seems to bring black a flood of JSON. Can't make much sense of it.
I ran the other statements and here are the results. (I took the liberty and adjusting the count to limit it to my indexes (as I don't want any X-Pack monitoring indexes to possibly be included in the results).
I'm sorry, my instructions were unclear and incomplete, and this is my fault.
For the search, I would like you just search one of the indices, say logs-2017.03.01; the output should give you the number of hits and we can compare this to the count from cat indices API.
For the count calls, we can do the same, just hit the same index again and compare this too.
No worries on not having a unique field, for log data that is often the case I was only hoping we would be lucky here and it might help identify the source of this puzzle.
The data I currently have loaded is loaded in 1 shard indexes, and all counts (search hits, cat indexes API, and count) are the same for logs-2017.03.01: 19424. I'll have to do a reload now with 5 shard indexes and see if there are any differences. I'll let you know. Thanks.
Thanks so much and sorry, I'm sure it's a pain to go through this, but first trying to get a basic understanding of the situation! If this is reproducible it gives me hope that we can get to the bottom of this.
Absolutely no need to apologize! I'm just grateful that there are experts out there so willing to help out the muddled masses like me
I'm at a loss, though. I ran the above tests with 5 shard indexes (for logs-2017.03.01 through logs-2017.03.10). Everything matched exactly. (I even repeated the test to confirm. Worked perfectly.)
I don't get it. I know I wasn't making up the odd results I was seeing earlier. But for some reason I can't seem to repeat it. (I guess it must not have been related to 1 shard vs. 5 shards after all.)
If you have any further thoughts on things to try, I'm open to given it a shot. But barring that, we should probably consider this "closed" for now.
My initial thought when I saw your report is that something hiccuped somewhere and documents were retried; with auto-generated IDs we would expect to see duplicate documents in a situation like this. Where that hiccup would have been, I do not know.
If this does reproduce again, please feel free to ping and we will try to diagnose it.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
