Logstash processing messages out of order

I have a long config that looks at several types of messages - very similar to the canonical examples given at the aggregate plugin docs page, Example 1, here's the gist:

filter {

  grok {
    match => { ... }
    add_field => { 'type' => 'type_a' }
  }

  if (! [type]) {
    grok {
      match => { ... }
      add_field => { 'type' => 'type_b' }
    }
  }

  if (! [type]) {
    grok {
      match => { ... }
      add_field => { 'type' => 'type_c' }
    }
  }

  if ([type] == 'type_b') {
    aggregate {
      task_id => '...'
      map_action => 'create'
      code => "..."
    }

    drop {}
  }

  if ([type] == 'type_c') {
    aggregate {
      task_id => '...'
      end_of_task => true
      timeout => 60
      map_action => 'update'
      code => "..."
    }
  }

}

The config seems to be working OK otherwise, i.e. it picks up the correct types and other fields as needed from what I am seeing.

I've confirmed I have one worker:

Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>1, "pipeline.batch.size"=>1000, "pipeline.batch.delay"=>50, "pipeline.max_inflight"=>1000, :thread=>"#<Thread:0x754f9f28 run>"}

However, I still see it processing out of order. E.g. for a file such as:

type A
type B
type C

where type B and type C are aggregated as start / end events per the above config, I see it processing in this order:

type C
type A

which completely breaks the things downstream.

What should I be doing differently or what else can I try to troubleshoot or solve this?

In logstash.yml, set

pipeline.java_execution: false

There is a PR to fix this issue in-flight.

@Badger Thanks, changed that:

Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>1, "pipeline.batch.size"=>1000, "pipeline.batch.delay"=>50}

but I'm still getting events out of order sometimes. Any other things I can try?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.