Hi Folks,
I'm working through the tutorial, and I'm at this spot: https://www.elastic.co/guide/en/logstash/current/advanced-pipeline.html#testing-initial-pipeline
Things are going great (querying elasticsearch for the data), but when I get to the Kibana step, I don't see any entries in the "discover" view.
http://192.168.56.10:9200/logstash-2019.04.25/_search?pretty&q=geoip.city_name=Buffalo' gives:
{
"took" : 17,
"timed_out" : false,
"_shards" : {
"total" : 5,
"successful" : 5,
"skipped" : 0,
"failed" : 0
},
"hits" : {
"total" : 2,
"max_score" : 2.5176964,
"hits" : [
{
"_index" : "logstash-2019.04.25",
"_type" : "doc",
"_id" : "BV6iVGoBViasgcCKWHHG",
"_score" : 2.5176964,
"_source" : {
"timestamp" : "04/Jan/2015:05:29:13 +0000",
"request" : "/blog/geekery/disabling-battery-in-ubuntu-vms.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+semicomplete%2Fmain+%28semicomplete.com+-+Jordan+Sissel%29",
"host" : {
"name" : "17c3d81a4ce8"
},
"httpversion" : "1.1",
"message" : "198.46.149.143 - - [04/Jan/2015:05:29:13 +0000] \"GET /blog/geekery/disabling-battery-in-ubuntu-vms.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+semicomplete%2Fmain+%28semicomplete.com+-+Jordan+Sissel%29 HTTP/1.1\" 200 9316 \"-\" \"Tiny Tiny RSS/1.11 (http://tt-rss.org/)\"",
"log" : {
"file" : {
"path" : "/tmp/logstash-tutorial.log"
}
},
"verb" : "GET",
"tags" : [
"beats_input_codec_plain_applied"
],
"bytes" : "9316",
"ident" : "-",
"response" : "200",
"geoip" : {
"timezone" : "America/New_York",
"latitude" : 42.8864,
"region_name" : "New York",
"postal_code" : "14202",
"city_name" : "Buffalo",
"country_code3" : "US",
"region_code" : "NY",
"longitude" : -78.8781,
"ip" : "198.46.149.143",
"continent_code" : "NA",
"country_code2" : "US",
"country_name" : "United States",
"dma_code" : 514,
"location" : {
"lat" : 42.8864,
"lon" : -78.8781
}
},
"auth" : "-",
"@version" : "1",
"prospector" : {
"type" : "log"
},
"beat" : {
"name" : "17c3d81a4ce8",
"hostname" : "17c3d81a4ce8",
"version" : "6.6.0"
},
"input" : {
"type" : "log"
},
"clientip" : "198.46.149.143",
"agent" : "\"Tiny Tiny RSS/1.11 (http://tt-rss.org/)\"",
"referrer" : "\"-\"",
"offset" : 22508,
"@timestamp" : "2019-04-25T13:14:45.250Z",
"source" : "/tmp/logstash-tutorial.log"
}
},
{
"_index" : "logstash-2019.04.25",
"_type" : "doc",
"_id" : "N16iVGoBViasgcCKWXHT",
"_score" : 2.5176964,
"_source" : {
"timestamp" : "04/Jan/2015:05:29:13 +0000",
"request" : "/blog/geekery/solving-good-or-bad-problems.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+semicomplete%2Fmain+%28semicomplete.com+-+Jordan+Sissel%29",
"host" : {
"name" : "17c3d81a4ce8"
},
"httpversion" : "1.1",
"message" : "198.46.149.143 - - [04/Jan/2015:05:29:13 +0000] \"GET /blog/geekery/solving-good-or-bad-problems.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+semicomplete%2Fmain+%28semicomplete.com+-+Jordan+Sissel%29 HTTP/1.1\" 200 10756 \"-\" \"Tiny Tiny RSS/1.11 (http://tt-rss.org/)\"",
"log" : {
"file" : {
"path" : "/tmp/logstash-tutorial.log"
}
},
"verb" : "GET",
"tags" : [
"beats_input_codec_plain_applied"
],
"bytes" : "10756",
"ident" : "-",
"response" : "200",
"geoip" : {
"timezone" : "America/New_York",
"latitude" : 42.8864,
"region_name" : "New York",
"postal_code" : "14202",
"city_name" : "Buffalo",
"country_code3" : "US",
"region_code" : "NY",
"longitude" : -78.8781,
"ip" : "198.46.149.143",
"continent_code" : "NA",
"country_code2" : "US",
"country_name" : "United States",
"dma_code" : 514,
"location" : {
"lat" : 42.8864,
"lon" : -78.8781
}
},
"auth" : "-",
"@version" : "1",
"prospector" : {
"type" : "log"
},
"beat" : {
"name" : "17c3d81a4ce8",
"hostname" : "17c3d81a4ce8",
"version" : "6.6.0"
},
"input" : {
"type" : "log"
},
"clientip" : "198.46.149.143",
"agent" : "\"Tiny Tiny RSS/1.11 (http://tt-rss.org/)\"",
"referrer" : "\"-\"",
"offset" : 22795,
"source" : "/tmp/logstash-tutorial.log",
"@timestamp" : "2019-04-25T13:14:45.250Z"
}
}
]
}
}
The logstash-2019.04.25 index shows up in Kibana's index management, too:
However, I don't see anything in discover:
Please help troubleshoot?
Elastic Stack 6.6.0
first-pipeline.conf
input {
beats {
port => "5044"
}
}
filter {
grok {
match => { "message" => "%{COMBINEDAPACHELOG}"}
}
geoip {
source => "clientip"
}
}
output {
elasticsearch {
hosts => [ "192.168.56.10:9200" ]
}
stdout { codec => rubydebug }
}
filebeat.yml
filebeat.inputs:
- type: log
paths:
- /tmp/logstash-tutorial.log
output.logstash:
hosts: ["192.168.56.10:5044"]