Skip to content

loki: prevent duplicate log ingestion and improve timestamp handling#4498

Open
Anulo2 wants to merge 3 commits into
crowdsecurity:masterfrom
Anulo2:fix/loki-duplicate-ingestion
Open

loki: prevent duplicate log ingestion and improve timestamp handling#4498
Anulo2 wants to merge 3 commits into
crowdsecurity:masterfrom
Anulo2:fix/loki-duplicate-ingestion

Conversation

@Anulo2

@Anulo2 Anulo2 commented Jun 3, 2026

Copy link
Copy Markdown
  • Scan all streams for maxTS instead of only the first stream's last entry
  • Use strconv.ParseInt/FormatInt for nanosecond timestamps to avoid 32-bit Atoi overflow on platforms where int is 32-bit
  • Align entry.go timestamp parsing with types.go (time.Unix(0, t))

Fixes duplicate log lines appearing 2-3x in CrowdSec alerts when using Loki datasource in streaming mode.

…ling

Remove the 'else if infinite' branch in updateURI() that reset the query
start timestamp backward by 1 minute when no new results were returned.
This caused the same Loki log entries to be re-fetched and ingested
multiple times, inflating event counts and triggering false bucket
overflows.

Also improve robustness:
- Scan all streams for maxTS instead of only the first stream's last entry
- Use strconv.ParseInt/FormatInt for nanosecond timestamps to avoid 32-bit
  Atoi overflow on platforms where int is 32-bit
- Align entry.go timestamp parsing with types.go (time.Unix(0, t))

Fixes duplicate log lines appearing 2-3x in CrowdSec alerts when using
Loki datasource in streaming mode.
@github-actions

github-actions Bot commented Jun 3, 2026

Copy link
Copy Markdown

@Anulo2: There are no 'kind' label on this PR. You need a 'kind' label to generate the release automatically.

  • /kind feature
  • /kind enhancement
  • /kind refactoring
  • /kind fix
  • /kind chore
  • /kind dependencies
Details

I am a bot created to help the crowdsecurity developers manage community feedback and contributions. You can check out my manifest file to understand my behavior and what I can do. If you want to use this for your project, you can check out the BirthdayResearch/oss-governance-bot repository.

@github-actions

github-actions Bot commented Jun 3, 2026

Copy link
Copy Markdown

@Anulo2: There are no area labels on this PR. You can add as many areas as you see fit.

  • /area agent
  • /area local-api
  • /area cscli
  • /area appsec
  • /area security
  • /area configuration
Details

I am a bot created to help the crowdsecurity developers manage community feedback and contributions. You can check out my manifest file to understand my behavior and what I can do. If you want to use this for your project, you can check out the BirthdayResearch/oss-governance-bot repository.

@Anulo2

Anulo2 commented Jun 3, 2026

Copy link
Copy Markdown
Author

/kind fix

@Anulo2

Anulo2 commented Jun 3, 2026

Copy link
Copy Markdown
Author

/area agent

@blotus blotus added this to the Next release milestone Jun 30, 2026
@codecov

codecov Bot commented Jun 30, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 80.00000% with 3 lines in your changes missing coverage. Please review.
✅ Project coverage is 64.00%. Comparing base (4e57efb) to head (e68f612).

Files with missing lines Patch % Lines
pkg/acquisition/modules/loki/entry.go 0.00% 2 Missing ⚠️
...on/modules/loki/internal/lokiclient/loki_client.go 90.90% 1 Missing ⚠️
Additional details and impacted files
@@             Coverage Diff             @@
##           master    #4498       +/-   ##
===========================================
+ Coverage   37.57%   64.00%   +26.42%     
===========================================
  Files         460      478       +18     
  Lines       33569    34310      +741     
===========================================
+ Hits        12614    21959     +9345     
+ Misses      19595    10158     -9437     
- Partials     1360     2193      +833     
Flag Coverage Δ
bats 46.45% <0.00%> (?)
unit-linux 37.51% <80.00%> (-0.07%) ⬇️
unit-windows 26.73% <0.00%> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants