Why does it have duplicate ID with normal logstash output and fingerprint filter?

Bo_Pham_Nguyen · February 20, 2021, 3:00am

Hi team, This is my logstash config to get data, and I use fingerprint as _id in order to prevent duplication from data. But it still has duplicated event as below. Any help?

filter {
        if [type] == "cve" {
        fingerprint {
                key => "123ABC"
                method => "SHA256"
                source => ["id"]
                target => "[fingerprint]"
        }
        }
}

elasticsearch {
        hosts => ["http://1x.1x.1x.2:9200"]
        index => "hc-%{+YYYY.MM.dd}"
        document_id => "%{fingerprint}"
  }

The first event
"
_id
6bacf9435a4a7161994323d09d72ec3640418b31fb7544e5e3786fb7805a6b1d
_index
hc
_type
_doc
author
CVEnew
fingerprint
6bacf9435a4a7161994323d09d72ec3640418b31fb7544e5e3786fb7805a6b1d
"

The second event
"
_id
6bacf9435a4a7161994323d09d72ec3640418b31fb7544e5e3786fb7805a6b1d
_index
hc
_type
_doc
author
CVEnew
fingerprint
6bacf9435a4a7161994323d09d72ec3640418b31fb7544e5e3786fb7805a6b1d
"

warkolm · February 21, 2021, 9:47pm

Can you post the original document?

Please format your code/logs/config using the </> button, or markdown style back ticks. It helps to make things easy to read which helps us help you

system · March 21, 2021, 9:48pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Duplicated date in my elastic Logstash	6	315	November 1, 2022
Fingerprint duplicate hash for different events Logstash	4	679	October 5, 2021
I Want to remove the duplicate events inside Logstash filter how could I do that? I mention the events below please have a look and suggest Logstash	7	595	January 12, 2024
Duplicate events even after introducing fingerprint Logstash	5	577	January 1, 2021
Fingerprint plugin not working properly Logstash	5	165	April 5, 2024

Why does it have duplicate ID with normal logstash output and fingerprint filter?

Related Topics