Logstash with ouput clickhouse plugin more than 80% logs are missing

Anandh_Kumar1 · December 20, 2023, 1:03pm

I am using logstash version 7.17.15 in production environment, In that i am using the ouput plugin is clickhouse and the version is 20.8.3.18.

Using the filebeat I am moving the logs into logstash which is there is remove machine. Logstash filter the logs and insert the logs into clickhouse. When traffic is less there is no any issue all the logs goes to clickhouse DB.
When heavy traffic I am getting below error in logstash logs

INFO ] 2023-12-20 18:27:12.686 [pool-11-thread-1] clickhouse - Retrying connection {:url=>"http:/10.0.0.18:8123?query=INSERT+INTO+bolt.sender+FORMAT+JSONEachRow", :uuid=>"6854f6413da3fe8faab0efe1b3141804"}
[ERROR] 2023-12-20 18:27:15.083 [pool-12-thread-1] clickhouse - [HTTP Output Failure] Could not access URL {:url=>"http:/10.0.0.18:8123?query=INSERT+INTO+bolt.sender+FORMAT+JSONEachRow", :method=>nil, :headers=>nil, :message=>"URI does not specify a valid host name: http:/10.0.0.18:8123?query=INSERT+INTO+bolt.sender+FORMAT+JSONEachRow", :class=>"Manticore::ClientProtocolException", :backtrace=>nil, :size=>3639, :uuid=>"6854f6413da3fe8faab0efe1b3141804"}

Some of the logs are inserted into clickhouse some I am getting above error. Why this is happend? How can I resolve data loss here?

Below I have provided my logstash.conf

input {
        beats {
                port => 5044
        }
}
filter {
        if "sender" in [tags] {
                grok
                {
                        match => [ "message" , "BOLTFINALLOG %{GREEDYDATA:senderlog}"]
                }
                mutate {
                        split => {"senderlog" => "|"}
                        add_field => {
                                "sender_host" => "%{[host][hostname]}"
                                "queueid" => "%{[senderlog][0]}"
                                "status" => "%{[senderlog][1]}"
                                "dsn_time" => "%{[senderlog][2]}"
                                "bolt_injection_time" => "%{[senderlog][3]}"
                                "injection_time" => "%{[senderlog][4]}"
                                "listener_time" => "%{[senderlog][5]}"
                                "generation_time" => "%{[senderlog][6]}"
                                "from_address" => "%{[senderlog][7]}"
                                "from_address_res" => "%{[senderlog][7]}"
                                "rcpt_address" => "%{[senderlog][8]}"
                                "rcpt_address_res" => "%{[senderlog][8]}"
                                "delivery_ip" => "%{[senderlog][9]}"
                                "mx_ip" => "%{[senderlog][10]}"
                                "size" => "%{[senderlog][11]}"
                                "vmta" => "%{[senderlog][12]}"
                                "dsn_status" => "%{[senderlog][14]}"
                                "dsn_response" => "%{[senderlog][15]}"
                                "delay" => "%{[senderlog][13]}"
                                "policy_type" => "%{[senderlog][16]}"
                                "retry" => "%{[senderlog][17]}"
                                "[@metadata][table]" => "sender"
                        }
                        remove_field => "@timestamp"
                        remove_field => "host"
                        remove_field => "senderlog"
                        remove_field => "agent"
                        remove_field => "@version"
                        remove_field => "message"
                        remove_field => "event"
                        remove_field => "log"
                        remove_field => "tags"
                        remove_field => "input"
                        remove_field => "ecs"
                }
                if [from_address_res] =~ /^campaign/ {
                mutate {
                        split => {"from_address_res" => "-"}
                        add_field => {
                                "client_name" => "%{[from_address_res][1]}"
                                "clientid" => "%{[from_address_res][2]}"
                                "messageid" => "%{[from_address_res][3]}"
                        }
                }
                }
                mutate{
                        remove_field => "from_address_res"
                }
                mutate {
                        split => {"rcpt_address_res" => "@"}
                        add_field => {
                                "rcpt_domain" => "%{[rcpt_address_res][1]}"
                        }
                        remove_field => "rcpt_address_res"
                }
                mutate {
                        gsub => ["injection_time", "T", " "]
                        gsub => ["bolt_injection_time", "T", " "]
                        gsub => ["dsn_time", "T", " "]
                        gsub => ["listener_time", "T", " "]
                        gsub => ["generation_time", "T", " "]
                }
                mutate {
                        gsub => ["injection_time", "\+05:30", ""]
                        gsub => ["bolt_injection_time", "\+05:30", ""]
                        gsub => ["dsn_time", "\+05:30", ""]
                        gsub => ["listener_time", "\+05:30", ""]
                        gsub => ["generation_time", "\+05:30", ""]
                }
                if [injection_time] == "" {
                        mutate {
                                remove_field => "injection_time"
                        }
                }
                if [generation_time] == "" {
                        mutate {
                                remove_field => "generation_time"
                        }
                }
                if [bolt_injection_time] == "" {
                        mutate {
                                remove_field => "bolt_injection_time"
                        }
                }
                if [dsn_time] == "" {
                        mutate {
                                remove_field => "dsn_time"
                        }
                }
                if [listener_time] == "" {
                        mutate {
                                remove_field => "listener_time"
                        }
                }
        }
}
output
{
        if "sender" == [@metadata][table]
        {
                clickhouse {
                        http_hosts   => ["http://IP:8123"]
                        table        => "bolt.sender"
                        flush_size => 5
                        pool_max => 5
                }
        }

   stdout {
    codec => rubydebug
  }
}

leandrojmp · December 20, 2023, 2:58pm

From what you described it looks like an issue on Clickhouse side, do you have any logs for it?

It seems that it can not keep up with the event rate from Logstash.

Are you using Persistent Queue in Logstash? It may help with the data loss.

system · January 17, 2024, 2:58pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
LogStash-Outputs -ElasticSearch - URI is not valid - host is not specified Logstash docker	2	4078	April 6, 2020
"Could not fetch URL" while using http output plugin Logstash	5	7172	October 3, 2017
Kafka output plugin loses all data when Kafka is down Logstash	2	778	October 30, 2017
[logstash.outputs.elasticsearch] Marking url as dead. Elasticsearch Unreachable: [Manticore::SocketTimeout] Read timed out. LogStash::Outputs::ElasticSearch::HttpClient::Pool::HostUnreachableError Logstash	3	2619	May 20, 2020
Do we have data loss when logstash is unable to send logs to haproxy as haproxy server is unavailable Logstash	7	897	May 27, 2021

Logstash with ouput clickhouse plugin more than 80% logs are missing

Related Topics