Last active
November 5, 2017 01:56
-
-
Save areyoutoo/8046708 to your computer and use it in GitHub Desktop.
Dropping duplicate events in Logstash
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Dropping duplicate events in Logstash | |
| # | |
| # Explanation: | |
| # - Add a hashed field with the anonymize filter (it's fast) | |
| # - ES docs are unique per index/docid, duplicates will be overwritten | |
| # - Set ES "document_id" field when submitting | |
| # | |
| # Caveats: | |
| # - Adds a nonsense field to your events. Annoying but harmless. | |
| # - Make sure that whatever field(s) you hash are unique! | |
| filter { | |
| mutate { | |
| add_field => ["docId", "%{message}"] | |
| } | |
| anonymize { | |
| fields => ["docId"] | |
| key => "pianoPlayingMonkey" | |
| } | |
| } | |
| output { | |
| elasticsearch { | |
| document_id => "%{docId}" | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment