Duplicate Lines

mavvv · December 9, 2016, 5:00pm

Hi all,

I have a problem with my ELK configuration.
I use :

logstash 2.4.X
Elasticsearch : 2.4.1
Kibana : 4.6.1

My Logstash.conf

input {
  file {
    type => "MyAppLogs"
    path => "/var/log/myApp/*.log"
  }
}

filter {

  uuid {
    target => "@uuid"
    overwrite => true
  }
  fingerprint {
    source => ["message"]
    target => "fingerprint"
    key => "78787878"
    method => "SHA1"
    concatenate_sources => true
  }
 (some Grok patterns)
}

output {
if "_grokparsefailure" not in [tags] {
  elasticsearch {
    hosts => ["elasticsearch.host.ip"]
    document_id => "%{fingerprint}"
    }
  }
}

If i check in my elasticsearch instance, i see three lines for juste one log line :

As you can see, i generate a fingerprint and try to replace the document_id by my fingerprint.
If i look inside these three lines, i see that they have the same fingerprint (94c475dfd211a587c34610eaa96df1b823a26f3d) but only one line have his document_id replace by the fingerprint.

Do you have any idea why i have these duplpicate lines ?

system · January 6, 2017, 5:00pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Duplicate logs Elasticsearch	14	6517	July 10, 2018
Why does it have duplicate ID with normal logstash output and fingerprint filter? Logstash	2	299	March 21, 2021
"uuid" and "fingerprint" fields Logstash	8	2161	July 6, 2017
Duplicate events even after introducing fingerprint Logstash	5	579	January 1, 2021
How not to overwrite duplicates? save old documents Logstash	3	801	July 23, 2020

Duplicate Lines

Related topics