Fluentd filter plugin to deduplicate records for InfluxDB

A filter plugin that implements the deduplication techniques described in
the InfluxDB doc.

Installation

Using RubyGems:

fluent-gem install fluent-plugin-influxdb-deduplication

Configuration

Deduplicate by incrementing the timestamp

Each data point is assigned a unique timestamp. The filter plugin reads the fluentd record event time with a precision
to the second, and stores it in a field with a precision to the nanosecond. Any sequence of record with the same
timestamp has a timestamp incremented by 1 nanosecond.

<filter pattern>
  @type influxdb_deduplication
  <time>
    # field to store the deduplicated timestamp
    key my_key_field
  </time>
</filter>

For example, the following input records:

Fluentd Event Time	Record
1613910640	{ “k1” => 0, “k2” => “value0” }
1613910640	{ “k1” => 1, “k2” => “value1” }
1613910640	{ “k1” => 2, “k2” => “value2” }
1613910641	{ “k1” => 3, “k3” => “value3” }

Would become on output:

Fluentd Event Time	Record
1613910640	{ “k1” => 0, “k2” => “value0”, “my_key_field” => 1613910640000000000 }
1613910640	{ “k1” => 1, “k2” => “value1”, “my_key_field” => 1613910640000000001 }
1613910640	{ “k1” => 2, “k2” => “value2”, “my_key_field” => 1613910640000000002 }
1613910641	{ “k1” => 3, “k3” => “value3”, “my_key_field” => 1613910643000000000 }

The time key field can then be passed as is to
the fluent-plugin-influxdb-v2. Example configuration on nginx
logs:

<filter nginx.access>
  @type influxdb_deduplication
  <time>
    # field to store the deduplicated timestamp
    key my_key_field
  </time>
</filter>
<match nginx.access>
    @type influxdb2
    # setup the access to your InfluxDB v2 instance
    url             https://localhost:8086
    token           my-token
    bucket          my-bucket
    org             my-org
    # the influxdb2 time_key must be set to the same value as the influxdb_deduplication time.key
    time_key my_key_field
    # the timestamp precision must be set to ns
    time_precision ns
    tag_keys ["request_method", "status"]
    field_keys ["remote_addr", "request_uri"]
</match>

The data can then be queried as a table and viewed in Grafana for example with the flux query:

from(bucket: "my-bucket")
  |> range(start: v.timeRangeStart, stop: v.timeRangeStop)
  |> pivot(
    rowKey: ["_time"],
    columnKey: ["_field"],
    valueColumn: "_value"
  )
  |> keep(columns: ["_time", "request_method", "status", "remote_addr", "request_uri"])

Deduplicate by adding a sequence tag

Each record is assigned a sequence number, the output record can be uniquely identified by the pair (fluentd_event_time,
sequence_number). The event time is untouched so no precision is lost for time.

<filter pattern>
  @type influxdb_deduplication
  <tag>
    # field to store the deduplicated timestamp
    key my_key_field
  </tag>
</filter>

For example, the following input records:

Fluentd Event Time	Record
1613910640	{ “k1” => 0, “k2” => “value0” }
1613910640	{ “k1” => 1, “k2” => “value1” }
1613910640	{ “k1” => 2, “k2” => “value2” }
1613910641	{ “k1” => 3, “k3” => “value3” }

Would become on output:

Fluentd Event Time	Record
1613910640	{ “k1” => 0, “k2” => “value0”, “my_key_field” => 0 }
1613910640	{ “k1” => 1, “k2” => “value1”, “my_key_field” => 1 }
1613910640	{ “k1” => 2, “k2” => “value2”, “my_key_field” => 2 }
1613910641	{ “k1” => 3, “k3” => “value3”, “my_key_field” => 0 }

The sequence tag should be passed in the tag parameters
of fluent-plugin-influxdb-v2. Example configuration on nginx
logs:

<filter nginx.access>
  @type influxdb_deduplication
  <time>
    # field to store the deduplicated timestamp
    key my_key_field
  </time>
</filter>
<match nginx.access>
    @type influxdb2
    # setup the access to your InfluxDB v2 instance
    url             https://localhost:8086
    token           my-token
    bucket          my-bucket
    org             my-org
    # the influxdb2 time_key is not specified so the fluentd event time is used
    # time_key
    # there's no requirements on the time_precision value this time
    # time_precision ns
    # "my_key_field" must be passed to influxdb's tag_keys
    tag_keys ["request_method", "status", "my_key_field"]
    field_keys ["remote_addr", "request_uri"]
</match>

The data can then be queried as a table and viewed in Grafana for example with the flux query:

from(bucket: "my-bucket")
  |> range(start: v.timeRangeStart, stop: v.timeRangeStop)
  |> pivot(
    rowKey: ["_time", "my_key_field"],
    columnKey: ["_field"],
    valueColumn: "_value"
  )
  |> keep(columns: ["_time", "request_method", "status", "remote_addr", "request_uri"])

Detecting out of order records

This filter plugin expects the fluentd event timestamps of the incoming record to increase and never decrease.
Optionally, a order key can be added to indicate if the record arrived in order or not. For example with this config

<filter pattern>
  @type influxdb_deduplication
  order_key order_field
  <time>
    # field to store the deduplicated timestamp
    key my_key_field
  </time>
</filter>

Without order key, out of order records are dropped to avoid previous data points being overridden. With a order key,
out of order records will still be pushed but with order_field = false. Out of order records are not deduplicated but
they will be apparent in influxdb.