Hello - I've run into a major problem and would really appreciate an explanation. Thank you for your input.
We are using rollups to process metricbeat data for analysis. We have three servers, say A, B and C. Having these server ID's is essential for keeping track of what we are storing in the rollups. Everything will use these ID's!
But several documents in the rollups do not contain an ID. The original metricbeat data always contains one of these ID's. So what are these documents with missing ID's?
Here is the rollup JSON (which I implemented using the API):
{
"config": {
"id": "cpu_minute_test_rollup",
"index_pattern": "metricbeat-*",
"rollup_index": "cpu_minute_test",
"cron": "0 * * * * ?",
"groups": {
"date_histogram": {
"calendar_interval": "1h",
"field": "@timestamp",
"delay": "1m",
"time_zone": "UTC"
},
"histogram": {
"interval": 5,
"fields": [
"system.cpu.total.pct"
]
},
"terms": {
"fields": [
"system.cpu.total.pct",
"fields.server.id",
"system.cpu.cores"
]
}
},
"metrics": [
{
"field": "system.cpu.total.pct",
"metrics": [
"value_count",
"sum",
"min",
"max",
"avg"
]
}
],
"timeout": "20s",
"page_size": 1000
},
"status": {
"job_state": "started",
"current_position": {
"@timestamp.date_histogram": 1565316000000,
"fields.server.id.terms": "A",
"system.cpu.cores.terms": 2,
"system.cpu.total.pct.histogram": 0,
"system.cpu.total.pct.terms": 0.787
},
"upgraded_doc_id": true
},
"stats": {
"pages_processed": 136,
"documents_processed": 6442666,
"rollups_indexed": 133985,
"trigger_count": 2,
"index_time_in_ms": 32935,
"index_total": 134,
"index_failures": 0,
"search_time_in_ms": 31237,
"search_total": 136,
"search_failures": 0
}
}
Here is what we expect documents to look like (output from rollup):
{
"_index": "cpu_minute_test",
"_type": "_doc",
"_id": "cpu_minute_test_rollup$MmisCtl54fwO4f2-fQABCg",
"_version": 1,
"_score": null,
"_source": {
"@timestamp.date_histogram.time_zone": "UTC",
"@timestamp.date_histogram.timestamp": 1563908400000,
"system.cpu.total.pct.histogram.interval": 5,
"system.cpu.total.pct.terms._count": 932,
"system.cpu.cores.terms.value": null,
"@timestamp.date_histogram.interval": "1h",
"@timestamp.date_histogram._count": 932,
"system.cpu.total.pct.terms.value": null,
"system.cpu.total.pct.value_count.value": 0,
"system.cpu.total.pct.histogram.value": null,
"system.cpu.total.pct.sum.value": 0,
"_rollup.version": 2,
"fields.server.id.terms.value": "A",
"fields.server.id.terms._count": 932,
"system.cpu.total.pct.histogram._count": 932,
"system.cpu.cores.terms._count": 932,
"_rollup.id": "cpu_minute_test_rollup"
},
"sort": [
-9223372036854776000
]
}
But several are missing this essential ID. They look like this:
{
"_index": "cpu_minute_test",
"_type": "_doc",
"_id": "cpu_minute_test_rollup$gKcjJihI5w0S1y7_ZuXplA",
"_version": 1,
"_score": null,
"_source": {
"@timestamp.date_histogram.time_zone": "UTC",
"@timestamp.date_histogram.timestamp": 1563908400000,
"system.cpu.total.pct.histogram.interval": 5,
"system.cpu.total.pct.terms._count": 1371,
"system.cpu.cores.terms.value": null,
"@timestamp.date_histogram.interval": "1h",
"@timestamp.date_histogram._count": 1371,
"system.cpu.total.pct.terms.value": null,
"system.cpu.total.pct.value_count.value": 0,
"system.cpu.total.pct.histogram.value": null,
"system.cpu.total.pct.sum.value": 0,
"_rollup.version": 2,
"fields.oss.id.terms.value": null,
"fields.oss.id.terms._count": 1371,
"system.cpu.total.pct.histogram._count": 1371,
"system.cpu.cores.terms._count": 1371,
"_rollup.id": "cpu_minute_test_rollup"
},
"sort": [
-9223372036854776000
]
}
What are these documents without an ID? Is this a normal thing or have I messed something up?
Thanks again!