Save only unique events that are not yet stored in ES based on field value

Lupul_Dacic · April 4, 2022, 7:57am

Hi all,

I am using Logstash with a http_poller. Basically I am querying an API and save the data in ELK. All is fine, but the situation is that I am saving the same events and I need unique ones.

I would like to save only those events that are not already in the DB. If the value from data.attributes.cveID is not already saved in the ELK, then save the objects, else drop the event.

Screenshot 2022-04-04 at 10.51.04

I.e if there is no CVE-2022-21698 in ES, then save it else drop the event.

How I can do this?
Screenshot 2022-04-04 at 10.50.51

PFA my logstash.conf


input { 
  http_poller {
    urls => {
      test2 => {
        method => get
        url => "http://localhost:1337/api/webs/"
      }
    }
    request_timeout => 60
    schedule => { cron => "* * * * * UTC"}
    codec => "json"
    metadata_target => "http_poller_metadata"
  }
}

filter {
  split { field => "[data]" }
}

output {
	elasticsearch {
		hosts => "elasticsearch:9200"
		user => "logstash_internal"
		password => "${LOGSTASH_INTERNAL_PASSWORD}"
	}
}

If you could help me, I will owe you a lot!

Badger · April 4, 2022, 6:22pm

You can do this by overwriting the document each time.

Use document_id => %{[data][attributes][cveID]} in the elasticsearch output.

If you really want to drop the document then you could use an elasticsearch filter to do a lookup and see if it exists. However, in my very limited experience that is fragile and does not work as well as you would expect (in that case possibly due to the way logstash processes batches).

Lupul_Dacic · April 4, 2022, 7:43pm

PFA the output from logstash.conf

output {
	elasticsearch {
		hosts => ["http://elasticsearch:9200"]
		user => "logstash_internal"
		password => "${LOGSTASH_INTERNAL_PASSWORD}"
		document_id => %{[attributes][cveID]}
	}
}

I got an error:


[logstash.agent           ] Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of [ \\t\\r\\n], \"#\", [A-Za-z0-9_-], '\"', \"'\", [A-Za-z_], \"-\", [0-9], \"[\", \"{\" at line 36, column 18 (byte 725) after output {\n\telasticsearch {\n\t\thosts => [\"http://elasticsearch:9200\"]\n\t\tuser => \"logstash_internal\"\n\t\tpassword => \"${LOGSTASH_INTERNAL_PASSWORD}\"\n\t\tdocument_id => ", :backtrace=>["/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:32:in `compile_imperative'", "org/logstash/execution/AbstractPipelineExt.java:189:in `initialize'", "org/logstash/execution/JavaBasePipelineExt.java:72:in `initialize'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:47:in `initialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline_action/create.rb:50:in `execute'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:376:in `block in converge_state'"]}

Badger · April 4, 2022, 7:45pm

Add double quotes around the value: "%{[attributes][cveID]}".

Lupul_Dacic · April 4, 2022, 7:57pm

it works like a charm! Thank you!
You're the best!

system · May 2, 2022, 7:58pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Drop documents if certain field values are the same as the previous document Logstash	3	423	January 2, 2018
Logstash - update CSV content changes into ES Logstash	9	1344	May 8, 2019
Delete all extracted events before a specific field Logstash	4	657	August 25, 2017
ES query to check the existence of a document_id? Logstash	10	982	June 26, 2020
Logstash read previous events fields from elasticsearch in case of high events rate Logstash	4	559	February 14, 2021

Save only unique events that are not yet stored in ES based on field value

Related topics