Journal duplicate messages?

gianluca-valentini · December 15, 2022, 1:48pm

Hi,
I’m using Graylog 4.3.7. There is a strange behavior I saw during log data ingestion.
Using GELF input I sent data from a log file with about 1,800,000 rows.
Graylog installation with active journal.

The strangeness is that on graylog are present about 2,600,000 messages
What I can see is that the journal was full (more that 100%)

After that I test the same ingeston disabling journal.
Now the messages count is exactly the file row number (1,800,000).

So, is the journal the responsible for this strange behavior?
Can somebody help me to understand what happened?

Gianluca

StefanAustin · December 15, 2022, 3:30pm

I saw this one: Graylog journal getting full
Maybe it works for you, too.

ihe · December 16, 2022, 1:57pm

on what index are those data? And what is the data-retention? Do you rotate by number of logs or by time, and how many rotations do you do, before you delete?

gianluca-valentini · December 16, 2022, 2:51pm

Hi @ihe
here the info you asked.

I deleted all elastic indices

So the question is: why with the journal I had that biggest number of messages (2,800,000 vs 1,800,000 of the file)?

joe.gross · December 16, 2022, 5:03pm

Hard to guess without more information, but it is the first time I have ever heard if that happening.

I understand that GELF is the format, but how did you send the messages? Any chance the messages were duplicated by the sending mechanism?

If you repeat what you did the first time, does it produce the same duplication?

gianluca-valentini · December 16, 2022, 5:49pm

Hi @joe.gross,

Thanx for your time. I did a bulk ingestion from file with about 1,800,000 rows.
With journal on, it become full and when I see the message count on the graylog elastic or using itessage count i see that number difference.

Removing the journal the number of file ow and messages is the same.

Adding the journal the number is different. The message count is not always the same but it is greater than the file rows.

I use logstash to ingest file rows
Thanks
Gianluca

joe.gross · December 16, 2022, 8:44pm

Hmm. Not doubled then? How much over 1.8M is it? Does it vary?

Exactly how/where are you getting your counts? Please be specific and detailed.

How are you removing the journal? Again, please be specific and detailed.

Finally, Is the journal reaching 100% when you do the bulk import?

system · December 30, 2022, 8:44pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Duplicated messages Graylog Central (peer support)	4	3685	April 10, 2017
Duplicate Logs on same index Graylog Central (peer support)	3	642	May 26, 2020
Messages counted on an Input of new Graylog2 node is duplicated Graylog Central (peer support)	5	1478	May 17, 2018
Graylog server with full journal Graylog Central (peer support)	1	683	October 8, 2020
Solved Need help unprocessed messages (message in elasticsearch but not appears in graylog) Graylog Central (peer support)	7	7872	August 7, 2018

Journal duplicate messages?

Related topics