Hi,
I have a setup with Logstash forwarding Apache access logs to Elastic Search for analysis in Kibana.
As this is a shared server (WHM/Cpanel) I forward the COMBINEDVHOST log, grok it with " %{IPORHOST:vhost}:%{POSINT:port} %{COMBINEDAPACHELOG}" pattern to extract the virtual host name.
Everything is working fine, except for some entries which seem to generate three different records in Kibana, with one making some fields appear as "pairs". Better with an example from Kibana discover panel (I masked the clientip but it's the same everywhere):
Time response bytes clientip
July 29th 2015, 14:02:23.000 ["404","404"] ["14202","14202"] ["x.x.x.x","x.x.x.x"]
July 29th 2015, 14:02:23.000 404 14202 x.x.x.x
July 29th 2015, 14:02:23.000 404 14202 x.x.x.x
So in this three records every fields are exactly the same, except for the one that appear as "pairs", but with the same content as the other two lines. It does this only on these fields:
- agent
- bytes
- clientip
- geoip.coordinates
- geoip.location
- httpversion
- ident
- port
- referrer
- request
- response
- timestamp
- verb
- vhost
What I don't understand is that it does it only for certain entries, not all, and I cannot find any common pattern... What I fear is how it will impact some results when counting hits or adding bytes...
Has anyone experienced something similar?
Thanks.