I would like to know how I need to configure filebeat to use an existing index(it's empty). What's the configuration to do so? So far I tried in a helm chart:
The workaround is to set setup.ilm.enabled: false in your Filebeat configuration. Could you try that and see if the my-index-filebeat template and my-index-filebeat index get created?
I tried with that option but unfortunately it doesn't work.
My case it's a little bit uncommon. I need to use the my-index-filebeat index that was created by the elasticsearch admins in my company. I cannot create any index in the elasticsearch server.
What should I do to make it work?
Logs:
2019-10-17T13:56:00.894Z INFO pipeline/output.go:93 Attempting to reconnect to backoff(elasticsearch(https://XXXXXXXXXX.com:8443)) with 4 reconnect attempt(s)
2019-10-17T13:56:00.894Z INFO [publisher] pipeline/retry.go:189 retryer: send unwait-signal to consumer
2019-10-17T13:56:00.894Z INFO [publisher] pipeline/retry.go:191 done
2019-10-17T13:56:00.894Z INFO [publisher] pipeline/retry.go:166 retryer: send wait signal to consumer
2019-10-17T13:56:00.894Z INFO [publisher] pipeline/retry.go:168 done
2019-10-17T13:56:00.903Z INFO elasticsearch/client.go:743 Attempting to connect to Elasticsearch version 6.8.2
2019-10-17T13:56:00.914Z INFO template/load.go:169 Existing template will be overwritten, as overwrite is enabled.
2019-10-17T13:56:00.984Z INFO template/load.go:108 Try loading template my-index-filebeat to Elasticsearch
Indexing into an existing index should be fine; I just tested it to make sure.
As a test, could you try to send a Bulk API request, using the same username+password as in your Filebeat configuration, to my-index-filebeat from the command line (using curl or equivalent) on the host where Filebeat is running?
That'll tell us if a) a connection can be made from the Filebeat host to the Elasticsearch cluster and b) if the configured user has sufficient privileges to bulk index documents into my-index-filebeat.
Also, are those all the logs you are seeing for Filebeat? Specifically, are there any log messages showing errors or warnings?
curl -s -H "Content-Type: application/x-ndjson" -XPOST https://XXXXXX.com:8443/_bulk --data-binary "@requests" -u XXXXXX; echo
Enter host password for user 'XXXXXX':
{"error":{"root_cause":[{"type":"action_request_validation_exception","reason":"Validation Failed: 1: type is missing;"}],"type":"action_request_validation_exception","reason":"Validation Failed: 1: type is missing;"},"status":400}
{"took":9,"errors":true,"items":[{"index":{"_index":"test","_type":"_doc","_id":"1","status":403,"error":{"type":"security_exception","reason":"action [indices:admin/create] is unauthorized for user [XXXXX]"}}}]}
Just a reminder, I cannot create index only using the existing one.
So is test not an existing index? Can you try the bulk request from curl using the same existing index that you would use in your output.elasticsearch.index setting?
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.