Hi,
I've configured Packetbeat (5.0.1) to send MongoDB information via Logstash (5.0.1) to the current Cloud version of Elasticsearch (5.0.1).
It works great, but the thing is that I get multiple beats for the same MongoDB operation, which results in multiple documents in Elasticsearch.
See below for an example when at some point the query test.users.find() is executed in MongoDB, I get 2 (somes 3) beats.
Should I use some aggregation filter? Can somebody provide an example? Or should I deal with this in another way?
Thanks in advange!!
Beat documents for single users.find() operation
[
{
"_index": "sbm",
"_type": "mongodb",
"_id": "AVirqf5tsEe0TVUiaO7i",
"_score": null,
"_source": {
"server": "",
"proc": "",
"method": "find",
"bytes_in": 355,
"resource": "test.users",
"query": "test.users.find()",
"ip": "xxx.xx.x.xxx",
"type": "mongodb",
"client_proc": "",
"tags": [
"beats_input_raw_event"
],
"client_server": "",
"client_port": 36630,
"@timestamp": "2016-11-28T15:59:52.332Z",
"bytes_out": 540,
"port": 27000,
"beat": {
"hostname": "mongo-dev-0",
"name": "mongo-dev-0",
"version": "5.0.1"
},
"@version": "1",
"host": "mongo-dev-0",
"responsetime": 0,
"client_ip": "yyy.yy.yy.yy",
"mongodb": {
"fullCollectionName": "test.$cmd",
"numberReturned": 1,
"numberToSkip": 0,
"startingFrom": 0,
"numberToReturn": 4294967295,
"cursorId": 0
},
"status": "OK",
"direction": "in"
},
"fields": {
"@timestamp": [
1480348792332
]
},
"sort": [
1480348792332
]
},
{
"_index": "sbm",
"_type": "mongodb",
"_id": "AVirqf5tsEe0TVUiaO7g",
"_score": null,
"_source": {
"server": "",
"proc": "",
"method": "find",
"resource": "test.users",
"bytes_in": 346,
"ip": "xxx.xx.x.xxx",
"query": "test.users.find()",
"type": "mongodb",
"client_proc": "",
"tags": [
"beats_input_raw_event"
],
"client_server": "",
"client_port": 36634,
"@timestamp": "2016-11-28T15:59:52.332Z",
"bytes_out": 540,
"port": 27000,
"beat": {
"hostname": "mongo-dev-0",
"name": "mongo-dev-0",
"version": "5.0.1"
},
"@version": "1",
"host": "mongo-dev-0",
"responsetime": 0,
"client_ip": "yyy.yy.yy.yy",
"mongodb": {
"fullCollectionName": "test.$cmd",
"numberReturned": 1,
"numberToSkip": 0,
"startingFrom": 0,
"cursorId": 0,
"numberToReturn": 4294967295
},
"status": "OK",
"direction": "in"
},
"fields": {
"@timestamp": [
1480348792332
]
},
"sort": [
1480348792332
]
},
{
"_index": "sbm",
"_type": "mongodb",
"_id": "AVirqf5tsEe0TVUiaO7f",
"_score": null,
"_source": {
"server": "",
"proc": "",
"method": "find",
"bytes_in": 330,
"resource": "test.users",
"query": "test.users.find()",
"ip": "xxx.xx.x.xxx",
"type": "mongodb",
"client_proc": "",
"tags": [
"beats_input_raw_event"
],
"client_port": 36636,
"client_server": "",
"@timestamp": "2016-11-28T15:59:52.324Z",
"bytes_out": 560,
"port": 27000,
"beat": {
"hostname": "mongo-dev-0",
"name": "mongo-dev-0",
"version": "5.0.1"
},
"@version": "1",
"host": "mongo-dev-0",
"responsetime": 0,
"client_ip": "yyy.yy.yy.yy",
"mongodb": {
"fullCollectionName": "test.$cmd",
"numberReturned": 1,
"numberToSkip": 0,
"startingFrom": 0,
"cursorId": 0,
"numberToReturn": 4294967295
},
"status": "OK",
"direction": "in"
},
"fields": {
"@timestamp": [
1480348792324
]
},
"sort": [
1480348792324
]
}
]