Significant difference in size output because of an if statment (that shouldn't happend)

sahar_q · May 29, 2017, 1:37pm

Hi,
For some reason that i dont get the follow input creates twice less the size(27KB) on the created index in elastic:

output {
if "ArpTable" in [tags] {
elasticsearch {
hosts => ["x"]
action => "index"
index => "arp-table"
}
}
stdout {codec => rubydebug}
}

While if i delete the if statement the size of the index will increase twice (62KB):

output {
elasticsearch {
hosts => ["x"]
action => "index"
index => "arp-table"
}
stdout {codec => rubydebug}
}

what is the reason for it?

Edit: Solved - larger index had more shards

magnusbaeck · May 29, 2017, 7:49pm

Are you indexing the same amount of documents each time? Are the documents identical?

sahar_q · May 30, 2017, 7:58am

yes there are. both contained 41 documents, and the same data was indexed

sahar_q · May 30, 2017, 8:09am

After reChecking the index setting i found that the larger index was split into more shards than the other.
problem solved, sorry

Topic		Replies	Views
Different Index sizes for same data Elasticsearch	1	986	May 19, 2015
Elasticsearch index size increased but data source is still the same in ES 7.4 Elasticsearch	6	555	May 29, 2020
Document count is same but index size is growing every logstash run Elasticsearch	2	1130	September 11, 2019
No effect of "size" in 'query' while reindexing in elasticsearch Logstash	1	631	September 9, 2016
Index size Elasticsearch	0	400	May 15, 2014