Elasticsearch input plugin creates more documents than what is in the originating index

snowboardcto · October 14, 2019, 3:15am

The elasticsearch Logstash input filter seems to output more documents than the index it is set to input from. Below is the filter I'm using. What do I need to do to ensure it only inputs each record in the originating index once? Why does the new index show an increasing number of documents while logstash keeps running? The originating index has about 2 million records.

Note: my goal is to have two separate indexes, one with additional derived data, so the reindexer api is likely not what I want.

input {
  elasticsearch {
    hosts => "localhost:9200"
    index => "test"
    query => '{ "query": {"match_all": {}} }'
    size => 10000
    scroll => "5m"
  }
}
filter {
  mutate {
    ...
  }
}
output {
  elasticsearch {
    hosts => "localhost:9200"
    index => "test-new"
  }
}

Thanks!

seanziee · October 15, 2019, 9:41pm

It may be that the data is replicating. In that case, you can prevent replication by assigning the orgin index document_idfield to the destination document. So in the input, you need to set doc_values to true.

And then the output to elastic needs to have document_id => "%{[@metadata][_id]}"

Then you can guarantee a 1:1 index

system · November 12, 2019, 9:41pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash with elasticsearch input and output keep looping results forever Logstash	3	886	March 22, 2019
Elasticsearch input on logstash duplicating documents Logstash	1	291	October 20, 2020
Logstash ES->ES more documents out than in? Logstash	5	476	April 18, 2019
How to stop duplicate entries using elasticsearch plugin Logstash	10	6090	June 29, 2017
Reindex data is multiplying docs Logstash	14	565	March 16, 2022

Elasticsearch input plugin creates more documents than what is in the originating index

Related topics