Import CSV into Elasticsearch with Logstash issue

dyl · April 3, 2018, 7:40am

Hello ELK community !

I use the ELK stack to parse CSV files and send them to Elasticsearch after parsing them with logstash.

Unfortunately, I have a problem:

When I send my files to the listening directory of the "input" of my logstash pipeline, the records are doubled, see triplets, without my asking anything ...

Indeed :

This is what my pipeline looks like:

input {
file {
path => "/home/XXX/report/*.csv"
start_position => "beginning"
sincedb_path => "/dev/null"
}
}
filter {
csv {
separator => ";"
columns => ["Name", "Status", "Category", "Type", "EndPoint", "Group", "Policy", "Scanned At", "Reported At", "Affected Application"]
}
}
output {
elasticsearch {
hosts => "http://localhost:9200"
index => "malwarebytes-report"
}
stdout {}
}

When I send my first file containing 28 records in "/home/XXX/report/", this is what Elasticsearch says:

[root @ lrtstfpe1 confd]#curl -XGET 'localhost:9200/_cat/indices?v&pretty'
health status index uuid pri rep docs.count docs.deleted store.size pri.store.size
yellow open malwarebytes-report PO4g6rKRTb6yuMDb7i-6sg 5 1 28 0 25.3kb 25.3kb

So currently it's ok, but when I send my second file of 150 records ...:

[root @ lrtstfpe1 confd]#curl -XGET 'localhost:9200/_cat/indices?v&pretty'
health status index uuid pri rep docs.count docs.deleted store.size pri.store.size
yellow open malwarebytes-report PO4g6rKRTb6yuMDb7i-6sg 5 1 328 0 263.3kb 263.3kb

The 150 recordings have been doubled and added to the first 28 ...

What's going on ??

Several days that I am stuck on the problem, I really need you ..

bvest · April 3, 2018, 12:11pm

I believe your issue is with the logstash file input plugin configuration. This config

    file {
       path => "/home/XXX/report/*.csv"
       start_position => "beginning"
      sincedb_path => "/dev/null"
   }
 }

Tells logstash to read every file in /home/XXX/report/*.csv from the beginning every time it sees a new file.

sincedb_path => "/dev/null" says do not keep track of where we last stopped reading the file and treat all files as new every time the folder is read.

More detailed information is available in the documentation at
https://www.elastic.co/guide/en/logstash/current/plugins-inputs-file.html#plugins-inputs-file-sincedb_path

A more detailed description of how sincedb works is here
https://www.elastic.co/guide/en/logstash/current/plugins-inputs-file.html#_tracking_of_current_position_in_watched_files

dyl · April 3, 2018, 1:42pm

I just try to delete theses two lines, same problem... What am I supposed to do to don't read older files when new files comes in the directory

dyl · April 3, 2018, 2:23pm

When I use Filebeat to monitor my directory insted of input section of logstash, it is the same behaviour...

My pipeline to use filebeat :

input {
beats {
port => 5044
}
}
filter {
csv {
separator => ";"
columns => ["Name","Status","Category","Type","EndPoint","Group","Policy","Scanned At","Reported At","Affected Application"]
}
}
output {
elasticsearch {
hosts => "http://localhost:9200"
index => "malwarebytes-report"
}
}

My filebeat config :

filebeat.prospectors:
- type: log
  enabled: true
  paths:
    - /home/D_NT_UEM/petotadm/rapport/*.csv
filebeat.config.modules:
  path: ${path.config}/modules.d/*.yml
  reload.enabled: false
setup.template.settings:
  index.number_of_shards: 3
setup.kibana:
output.logstash:
  hosts: ["localhost:5044"]

dyl · April 3, 2018, 2:39pm

Moreover, all CSV config that i found on Internet looks like

> start_position => "beginning"
> sincedb_path => "/dev/null"

dyl · April 4, 2018, 7:30am

I just completely uninstalled the ELK stack (rpm -e elasticsearch kibana logstash filebeat) as well as any ELK traces (rm -rf /var/lib/ELK/ var/log/ELK/ etc/default/ELK /usr/share/ELK ...) So, nothing anywhere.

I just reinstall everything:

rpm -ivh elasticsearch-6.2.3.rpm
rpm -ivh kibana-6.2.3-x86_64.rpm
rpm -ivh logstash-6.2.3.rpm

And start the services: service ELK restart

Then, in terms of configurations:
/etc/elasticsearch.yml is completely by default.
/etc/kibana.yml is completely by default.
/etc/logstash.yml is completely by default.

Then, I put my one and ONLY pipeline named "pip.conf" in/etc/logstash/conf.d/
Its configuration:

input {
   file {
     path => "/home/report/*.csv"
     start_position => "beginning"
     sincedb_path => "/dev/null"
  }
}
filter {
  csv {
     separator => ";"
     columns => ["Name","Status","Category","Type","EndPoint","Group","Policy","Scanned At","Reported At","Affected Application"]
  }
}
output {
   elasticsearch {
     hosts => "http://localhost:9200"
     index => "malwarebytes-report"
  }
stdout{}
}

And finally, I launch my pipeline :
I go into /usr/share/logstash and I execute :

bin/logstash -f /etc/logstash/conf.d/pip.conf

After few secondes, my pipeline is listening, and now, I put my file1.csv and my file2.csv into /home/report/.

file1.csv contains 28 records and file2.csv contains 150 records.

But now, when I check my index : curl -XGET 'localhost:9200/_cat/indices?v&pretty'
My index "malwarebytes-report" contains 357 records ... (150x2 + 28x2 ...)

I don't understand NOTHING ....

Thx for help

system · May 2, 2018, 7:30am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash ingest and export to elasticsearch files twice Logstash	16	684	March 16, 2022
Problem beetween elastic and logstash: csv files are saved twice Logstash	6	552	July 20, 2020
Logstash csv export => export of unwanted documents multiple times Logstash	1	142	February 28, 2023
Logstash logs two filebeat inputs Logstash	3	783	December 7, 2017
Logstash reading the file line multiple times Logstash	2	559	July 23, 2019

Import CSV into Elasticsearch with Logstash issue

Related topics