Drop non-matching logs inside elasticsearch filebeat module 8.0 pipelines #30428

matschaffer · 2022-02-16T12:59:32Z

#30018 added support for ES 8.0's ECS formatted logs.

Since the logs are ECS format we opted for minimal processing and removed the drop found in the 7.x log processors.

Unfortunately in cases like kubernetes, the combination of multiple file sets (server, audit, etc...) and using a single mixed stream (stdout) means we end up double-ingesting the same messages across multiple pipelines and storing the duplicates.

To work around this we can add a drop to the 8.0 pipelines for the elasticsearch module.

The text was updated successfully, but these errors were encountered:

elasticmachine · 2022-02-16T12:59:33Z

Pinging @elastic/integrations (Team:Integrations)

matschaffer added Filebeat Filebeat Team:Integrations Label for the Integrations team Feature:Stack Monitoring labels Feb 16, 2022

matschaffer self-assigned this Feb 17, 2022

matschaffer mentioned this issue Feb 17, 2022

Add drop and explicit tests to avoid duplicate ingest of elasticsearch logs #30440

Merged

4 tasks

matschaffer closed this as completed in #30440 Feb 21, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Drop non-matching logs inside elasticsearch filebeat module 8.0 pipelines #30428

Drop non-matching logs inside elasticsearch filebeat module 8.0 pipelines #30428

matschaffer commented Feb 16, 2022

elasticmachine commented Feb 16, 2022

Drop non-matching logs inside elasticsearch filebeat module 8.0 pipelines #30428

Drop non-matching logs inside elasticsearch filebeat module 8.0 pipelines #30428

Comments

matschaffer commented Feb 16, 2022

elasticmachine commented Feb 16, 2022