-
Notifications
You must be signed in to change notification settings - Fork 309
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Duplicate events are indexed with different _id field #312
Comments
This has been a major issue for me as well. I ended up using my a similar workaround, but it would be ideal if this can get fixed. |
Fluentd plugins should be used in several combinations. This issue is caused by heavily traffic congestion in Elasticsearch. |
Current document does not imply how to prevent duplicated events. |
Thanks for the reply @cosmo0920! I have always assumed that events that are being retried will use the same I wonder if there is a way to store the I will submit a PR with this workaround to the README, as you suggested it might help others in similar situations, though I have to say it is not a "pretty" fix, the additional hash calculations consumes resources and you need to carefully select the keys for the differents sources to be used for the hash or you'll get dangerous hash-collisions and loose events. After reviewing this bugzilla, it seems to me that the root cause may lie in fluentd's own output buffer mechanism, but I don't have enough experience with the inner-working to be certain, perhaps you could review and provide your pov? |
Fluentd's output and its tied buffer plugin use to write at least once rule into some output routes not to write at once rule. To solve ES plugin side, it needs to add generate Hash mechanism which is described here:
will prevent hash value collisions. |
Instructions on a how to avoid duplicate events on highly congested Elasticseatch clusters, relates to uken#312
I think the above will be a great enhancement! Don't think a seperate plugin should be used for this, as this is a common Elasticsearch problem (under certain conditions), a helper module sounds good! In any case, I've submitted #317 with some instructions on how to workaround this issue in the meantime, for you consideration. |
I've released patch for this issue as 2.0.1.rc.1. |
Thank you @cosmo0920 for this work! and everyone for contributing, we plan to test this release asap and will update how things are behaving. |
@cosmo0920 I just realized that >v2.0.0 is for fluentd 0.14, however we are still using fluentd 0.12, is it possible to port this to the 1.x.x version branch? |
I ported this work for v0.12 on #323. |
Thank you! could I trouble you to build & publish an RC release for this as well? just will be easier for us to intergate it. |
I've published this work for v0.12 as v1.10.3.rc.1. |
Yes! thanks, we'll upgrade and let you know! |
Hi @cosmo0920 I just installed version 1.11.0 in our test cluster, unfortunately there seem to be an issue, I recieve the following errors from Elasticsearch:
Here's my output config:
Seem like we are incorrectly using the API here? |
The following change in the configuration seem to have solved the error for me:
Seems like you cannot inject the What do you think? is this a correct approach? I assume the value of |
I think ES client needs to use Document PUT API which is equivalent to |
It seems that my configuration above is generating duplicate events in Elasticsearch, I'm able to find many identical documents only with different I'm going to revert to our previous configuration for now. |
I think the bulk index operations need to use " |
We can possibly handle duplicate events when using "create" operation at v1.11.0 and v2.1.0:
Could you try |
I can try, but what about the
Error:
so, should I try this:
|
Sorry, this is my mistake. |
Ok, got it. So this config is correct?
|
Yes, it is. |
We've hit the same problem with above setup, many duplicate documents are ingested in Elasticsearch with different Any ideas? is it possible the plugin overwrites the value of |
I think that retrying to write into elasticsearch may overwrite the value of _hash. |
Ok, so seems like we need to check if the key already exist? and if it does then don't create a new one. Recalling our disucssion in the PR, seems like if the hash was reporoducible this wouldn't be any issue at this point (as the retry would produce the same hash) isn't it? although I still prefer to use the random method to generate the hash to avoid collisions. |
Wouldn't we want the ES output plugin to create a bulk request payload with the |
I'm going to try a different "workaround" for now, since using
and use the |
How about separate Generate Hash ID module as fluent-plugin-filter-elasticsearch-genid plugin? |
Ah, this plugin should be bundled this ES plugin. |
Sounds good to me! |
👍 I'm going to test it asap! |
I'm looking forward your test result. |
1.12.0.rc.1 already deployed, so far so good - I will keep you posted! I appreciate your hard work 😃 |
Things are looking stable! no issues as far as I can see. |
Awesome. What a good news! |
Do you plan to do a ga release of v1.12.0 and v2.2.0 ? |
I’m planning to ga release of v1.12.0 and v2.2.0 in the next week. |
Thanks @cosmo0920, have a great weekend 😃 |
I've released v1.12.0 and v2.2.0. |
Problem
We've been experiencing few incidents in the past few weeks where a certain issue on our Elasticsearch cluster would cause errors in fluentd when pushing logs (specifically, we've been exceeding the allowed queue length on Elastic which would send reject errors), these are being retried on fluentd at certain intervals however each retry is submitted with a new
_id
value.During this condition. Elasticsearch would seem to be indexing the messages (with some delay), but since fluentd is getting an error, it seem to retry again and again, as a result we end up with many duplicate events (each with a unique
_id
)I've found a related issue filed here: https://bugzilla.redhat.com/show_bug.cgi?id=1491401
I'm not certain if this is the plugin's fault or perhaps the output buffer in fluentd that is responsible for this part.
We were able to come up with the following workaround:
_hash
field from several keys in each record (hopefully, providing a unique md5 hash per each event)id_key _hash
to the Output configurationThe above solved the duplicate issue we've been experiencing.
Steps to replicate
This is triggered when Elasticsearch sends rejects due to queue limit reached.
Using Fluentd and ES plugin versions
The text was updated successfully, but these errors were encountered: