Logstash importing hostname incorrectly

ASA01 · March 26, 2021, 1:25pm

Running across something I don't understand after building a new stack with the latest release of Logstash (7.11.1). It appears to be entering the hostname wrong or I understand it wrong. The system hostname is cmscd however, in ES I am seeing

I looked in the environ for logstash and see HOSTNAME=cmscd. I am not sure where the duplicate names are coming from. Nothing really crazy in my output section.

output {
   elasticsearch {
      hosts => [ "http://localhost:9200"]
      index => "ech-%{+YYYY.MM.dd}"
      document_id => "%{acd}_%{callid}_%{segment}_%{ucid}"
      manage_template => false
      user => "${ES_USER}"
      password => "${ES_PWD}"
   }
   stdout { codec => rubydebug }
}

Just trying to understand why I am getting both host and hostname and why hostname is repeated.

Thanks for your assistance

Badger · March 26, 2021, 4:16pm

I suspect hostname is an array, containing three copies of host. That would happen if you did

mutate { add_field => { "hostname" => "%{host}" } }
mutate { add_field => { "hostname" => "%{host}" } }
mutate { add_field => { "hostname" => "%{host}" } }

ASA01 · March 26, 2021, 5:24pm

here is the entire conf. I don't have hostname in it at all.

input {
	file {
		path => "/home/ech/chr*"
		start_position => "beginning"
		file_completed_action => "delete"
		sincedb_path => "/dev/null"
		mode => "read"
	}	
}

filter {
	csv {
		separator => "|"
		skip_header => true
		autodetect_column_names => true
		skip_empty_rows => true
	}
	date {
		match => ["segstart", "yyyy-MM-dd HH:mm:ss"]
	}
	date {
		match => ["segstart", "yyyy-MM-dd HH:mm:ss"]
		target => "segstart"
	}
	date {
		match => ["segstop", "yyyy-MM-dd HH:mm:ss"]
		target => "segstop"
	}
	date {
		match => ["segstart_utc", "yyyy-MM-dd HH:mm:ss"]
		target => "segstart_utc"
	}
	date {
		match => ["segstop_utc", "yyyy-MM-dd HH:mm:ss"]
		target => "segstop_utc"
	}
	
	translate {
		field => "disposition"
		destination => "calldisposition"
		fallback => "unknown"
		dictionary => {
			"1" => "Connected"
			"2" => "Answered"
			"3" => "Abandoned"
			"4" => "Interflowed"
			"5" => "Forced Busy"
			"6" => "Forced Disconnect"
			"7" => "Other"
			"8" => "ICR Pulled"
		}
	}
	translate {
		field => "interruptdel"
		destination => "interrupt"
		fallback => "unknown"
		dictionary => {
			"0" => "Not Applicable"
			"1" => "Auto in Interrupt"
			"2" => "Manual in Interrupt"
			"3" => "Notify Interrupt"
		}
	}
	 if [dispsplit] == "-1" {
      mutate {
         replace => ["dispsplit","0"]
      }
   }
	 if [split1] == "-1" {
      mutate {
         replace => ["split1","0"]
      }
   }
	 if [split2] == "-1" {
      mutate {
         replace => ["split2","0"]
      }
   }
	 if [split3] == "-1" {
      mutate {
         replace => ["split3","0"]
      }
   }


	mutate {
		convert => {"disposition" => "integer"}
		convert => {"holdabn" => "integer"}
		convert => {"talktime" => "integer"}
		convert => {"acwtime" => "integer"}
		convert => {"ringtime" => "integer"}
		convert => {"dispriority" => "integer"}
		convert => {"queuetime" => "integer"}
		convert => {"duration" => "integer"}
		convert => {"ansholdtime" => "integer"}
		convert => {"disptime" => "integer"}
		convert => {"netintime" => "integer"}
		convert => {"tenant_num" => "integer"}
		convert => {"dispsklevel" => "integer"}
		convert => {"prefskilllevel" => "integer"}
		convert => {"origholdtime" => "integer"}
		convert => {"ansreason" => "integer"}
		convert => {"consulttime" => "integer"}
		convert => {"agentsurplus" => "integer"}
		convert => {"cwc1" => "integer"}
		convert => {"cwc2" => "integer"}
		convert => {"cwc3" => "integer"}
		convert => {"cwc4" => "integer"}
		convert => {"cwc5" => "integer"}
		convert => {"acd" => "integer"}
		convert => {"dispsplit" => "integer"}
		convert => {"held" => "integer"}
		convert => {"split1" => "integer"}
		convert => {"split2" => "integer"}
		convert => {"split3" => "integer"}
		convert => {"dispivector" => "integer"}
		convert => {"firstvector" => "integer"}
		convert => {"callid" => "integer"}
		convert => {"eq_locid" => "integer"}
		convert => {"event1" => "integer"}
		convert => {"event2" => "integer"}
		convert => {"event3" => "integer"}
		convert => {"event4" => "integer"}
		convert => {"event5" => "integer"}
		convert => {"event6" => "integer"}
		convert => {"event7" => "integer"}
		convert => {"event8" => "integer"}
		convert => {"event9" => "integer"}
		convert => {"interruptdel" => "integer"}
		convert => {"origreason" => "integer"}
		convert => {"uui_length" => "integer"}
		convert => {"ans_locid" => "integer"}
		convert => {"orig_locid" => "integer"}
		convert => {"icrpullreason" => "integer"}
		convert => {"firstivector" => "integer"}
		convert => {"agentskilllevel" => "integer"}
		convert => {"obs_locid" => "integer"}
		convert => {"tkgrp" => "integer"}
		convert => {"segment" => "integer"}
		convert => {"uui_len" => "integer"}
		convert => {"assist" => "integer"}
		convert => {"transferred" => "integer"}
		convert => {"malicious" => "integer"}
		convert => {"agt_released" => "integer"}
		convert => {"conference" => "integer"}
		convert => {"da_queued" => "integer"}
		convert => {"icrresent" => "integer"}
		convert => {"audio" => "integer"}
	}
}

output {
	elasticsearch {
      hosts => [ "http://localhost:9200"]
		index => "ech-%{+YYYY.MM.dd}"
		document_id => "%{acd}_%{callid}_%{segment}_%{ucid}"
		manage_template => false
		user => "${ES_USER}"
		password => "${ES_PWD}"
   }
	stdout { codec => rubydebug }
}

Badger · March 26, 2021, 6:01pm

Does [hostname] show up in the rubydebug output on stdout?

ASA01 · March 29, 2021, 3:43pm

No it does not.

I get "host" => "cmscd", That is it. Nothing for "hostname"

Badger · March 29, 2021, 4:38pm

OK, so logstash is not adding it. Do you have ingestion pipelines in elasticsearch?

ASA01 · March 31, 2021, 9:02pm

Sorry for the delay, I do not have any. Could scripted fields that don't have anything to do with the hostname is all.