Logstash / Elasticsearch Double Values

MaikLinnemann · December 12, 2017, 12:01pm

Dear all,

i have an issue with logstash that i try to solve since a while. My issue is that the values for the output of "PROBLEMSITE" is always double. Here is an JSON example:

  "_source": {
    "request": [
      "/",
      "/"
    ],
    "agent": [
      "\"Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)\"",
      "\"Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)\""
    ],
    "auth": [
      "-",
      "-"
    ],
    "ident": [
      "-",
      "-"
    ],
    "verb": [
      "GET",
      "GET"
    ],

All other sites output works as expected!!! No issues, only for "PROBLEMSITE".....

I have a logstash config as follows:

input {
  file {
path => [ "/var/log/nginx/access.log" ]
#exclude => "*.gz"
start_position => "beginning"
sincedb_path => "/dev/null"
ignore_older => 0
type => "nginx-default"
   }

file {
path => [ "/var/log/nginx/xxx-PROBLEMSITE.access.log" ]
exclude => "*.gz"
start_position => "beginning"
sincedb_path => "/dev/null"
ignore_older => 0
type => "nginx-PROBLEMSITE"
    }
  
file {
path => [ "/var/log/nginx/webmail.access.log" ]
exclude => "*.gz"
start_position => "beginning"
sincedb_path => "/dev/null"
ignore_older => 0
type => "nginx-webmail"
    }
    
file {
path => [ "/var/log/nginx/owncloud.access.log" ]
exclude => "*.gz"
start_position => "beginning"
sincedb_path => "/dev/null"
ignore_older => 0
type => "nginx-owncloud"
    }    
  }
 	     

filter {

if [type] == "nginx-default" {
    grok {
	    patterns_dir => "/etc/logstash/patterns"
    match => [ "message", "%{COMBINEDAPACHELOG}" ]
    }

    date {
          	 match => [ "timestamp", "dd/MMM/yyyy:HH:mm:ss +0100" ]
             target => "tempdate"
    }
    
    ruby {
         	 code => "
         	 t = event.get('tempdate').time
				 t.localtime('+01:00')
				 event.set('logdatetime', t.strftime('%Y-%m-%dT%H:%M:%S +0100'))
				 "	
         }    

  	geoip {
  	source => "clientip"
  	target => "geoip-src"
  	database => "/etc/logstash/GeoLite2-City_20170704/GeoLite2-City.mmdb"
  	}

   } 
   
   else if [type] == "nginx-PROBLEMSITE" {
    grok {
	    patterns_dir => "/etc/logstash/patterns"
        match => [ "message", "%{COMBINEDAPACHELOG}" ]
    }
  	geoip {
  	source => "clientip"
  	target => "geoip-src"
  	database => "/etc/logstash/GeoLite2-City_20170704/GeoLite2-City.mmdb"
  }

   }
   
   else if [type] == "nginx-webmail" {
    grok {
	    patterns_dir => "/etc/logstash/patterns"
        match => [ "message", "%{ACTIVESYNC}" ]
    }

  geoip {
  source => "clientip"
  target => "geoip-src"
  database => "/etc/logstash/GeoLite2-City_20170704/GeoLite2-City.mmdb"
  }

   }
   
   else if [type] == "nginx-owncloud" {
    grok {
	    patterns_dir => "/etc/logstash/patterns"
        match => [ "message", "%{COMBINEDAPACHELOG}" ]
    }

  geoip {
  source => "clientip"
  target => "geoip-src"
  database => "/etc/logstash/GeoLite2-City_20170704/GeoLite2-City.mmdb"
  }

   }
   
}

output {

  if [type] == "nginx-default" {
  elasticsearch {
  index => "nginx-webhoster-default-%{+YYYY-MM-dd}"
  hosts => [ "192.168.0.12:9200" ]
  #flush_size => 1000
  manage_template => true
  template_overwrite => true
  template => "/etc/logstash/templates/nginx.json"
  template_name => "nginx-webhoster-default"
      }
  }
  
  else if [type] == "nginx-PROBLEMSITE" {
  elasticsearch {
  index => "nginx-webhoster-PROBLEMSITE-%{+YYYY-MM-dd}"
  hosts => [ "192.168.0.12:9200" ]
  #flush_size => 1000
  manage_template => true
  template_overwrite => true
  template => "/etc/logstash/templates/nginx.PROBLEMSITE.json"
  template_name => "nginx-webhoster-PROBLEMSITE"
      }
  }
   
	  else if [type] == "nginx-webmail" {
  elasticsearch {
  index => "nginx-webhoster-webmail-%{+YYYY.MM.dd}"
  hosts => [ "192.168.0.12:9200" ]
  #flush_size => 1000
  manage_template => true
  template_overwrite => true
  template => "/etc/logstash/templates/nginx.webmail.json"
  template_name => "nginx-webhoster-webmail"
     }
  }
  
  else if [type] == "nginx-owncloud" {
  elasticsearch {
  index => "nginx-webhoster-owncloud-%{+YYYY.MM.dd}"
  hosts => [ "192.168.0.12:9200" ]
  #flush_size => 1000
  manage_template => true
  template_overwrite => true
  template => "/etc/logstash/templates/nginx.owncloud.json"
  template_name => "nginx-webhoster-owncloud"
     }
  }
}

Could anyone give a hint or shed some light please?

magnusbaeck · December 12, 2017, 1:16pm

Where are your config files? What files do you have in that directory?

MaikLinnemann · December 12, 2017, 1:24pm

Hi Magnus, the config above is logstash/conf.d/nginx.conf
Else i have Templates under logstash/templates

{
    "template" : "nginx-webhoster-PROBLEMSITE-*",
    "order" : 0,
    "settings" : {
        "number_of_shards" : 2,
        "index.refresh_interval" : "90s"
    },
    "mappings" : {
        "nginx-webhoster-PROBLEMSITE" : {
            "properties" : {
                "timestamp" : { "index": "not_analyzed", "doc_values": true, "type" : "keyword" },
                "httpversion" : { "index": "not_analyzed", "doc_values": true, "type" : "keyword" },
                "request" : { "index": "not_analyzed", "doc_values": true, "type" : "keyword" },
                "auth" : { "index": "not_analyzed", "doc_values": true, "type" : "keyword" },
                "agent" : { "index": "not_analyzed", "doc_values": true, "type" : "keyword" },
                "clientip" : { "index": "not_analyzed", "doc_values": true, "type" : "keyword" },
                "bytes" : { "index": "not_analyzed", "doc_values": true, "type" : "long" },
                "response" : { "index": "not_analyzed", "doc_values": true, "type" : "short" },
		"ident" : { "index": "not_analyzed", "doc_values": true, "type" : "keyword" },
                "rawrequest" : { "index": "not_analyzed", "doc_values": true, "type" : "keyword" },
		"verb" : { "index": "not_analyzed", "doc_values": true, "type" : "keyword" },
		"referrer" : { "index": "not_analyzed", "doc_values": true, "type" : "keyword" },
		"@timestamp" : { "format" : "dateOptionalTime", "type" : "date" } 
            }
        }
    }
}

The other Templates are all the same...

magnusbaeck · December 12, 2017, 2:29pm

What other files do you have in logstash/conf.d?

MaikLinnemann · December 12, 2017, 3:38pm

Thanks bobbing me to right direction, i had a backup file in the folder. seems logstash read that file. as i removed it, the problem seems solved for now. any clue why other IO was not affected?

Topic		Replies	Views
Double values filebeat Beats filebeat	1	226	April 19, 2023
Duplicate record exatly twice Logstash	8	890	April 20, 2018
Logstash duplicate Logstash	12	125	March 17, 2025
Logstash ingest and export to elasticsearch files twice Logstash	16	760	March 16, 2022
Why is the value in the field on kibana repeated? Logstash	3	491	July 7, 2021

Logstash / Elasticsearch Double Values

Related topics