setup elk version 7.9.3 cannot create index logstash show me warning
[logstash.outputs.elasticsearch][main][27fb9d77028509eff9b3e4ec584ce0c8528c70f76c962e4e94e144a725a5b964] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"logs-packetbeat-flow-2020.11.04", :routing=>nil, :_type=>"_doc"}, #<LogStash::Event:0x35a2514c>], :response=>{"index"=>{"_index"=>"logs-packetbeat-flow-2020.11.04", "_type"=>"_doc", "_id"=>nil, "status"=>400, "error"=>{"type"=>"illegal_argument_exception", "reason"=>"only write ops with an op_type of create are allowed in data streams"}}}}
It seems you are using data streams instead of indexes in your installation:
Although I have not used data streams myself I know that datastreams cannot be updated - they only allow inserts of new documents. Therefore, I think setting the action setting to create (defaults to index) on your Elasticsearch output should help you.
i actually don't know what is the data stream in elasticsearch.In elk 7.8 version i didn't see this error and when i upgraded to 7.9 version it can't show me indices although it is showing but it is hidden.
now it is working
i changed my pipeline file
I guess this is caused by the new index templates: The Elastic Stack creates a new index template with pattern logs-- which defines a data stream. See here for the relevant breaking change in 7.9.
To solve that, you would have to create your own template with a higher priority to store the data in indizes instead of datastreams. Unfortunately, I don't know if it is possible to convert the datastream back to "raw" indizes...
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.