Dead Letter Queue (DLQ) issue

kernelpanic · August 30, 2018, 5:46pm

Hello,

I'm using Logstash 6.3.2 and I've enabled the DLQ but it doesn't appear to be indexing the events back into Elasticsearch; the log files in the DLQ data directory just keep growing and all i'm seeing in logstash-plain.log is:

[WARN ][org.logstash.common.io.DeadLetterQueueWriter] Event previously submitted to dead letter queue. Skipping...

I have the following in my logstash.conf file to repair the DLQ messages so they can be indexed into Elasticsearch:

if "dlq" in [tags] {
      mutate {
        convert => {
          "src_ip" => "string"
          "dst_ip" => "string"
       }          
     }
    }

However the repaired messages I'm expecting to see in Elasticsearch aren't there.

Can anyone help?

kernelpanic · August 31, 2018, 10:02am

If I remove the problematic fields as below:

if "dlq" in [tags] {
     mutate { remove_field => [ "src_ip", "dst_ip" ] } 
     }

I no longer see the "Event previously submitted to dead letter queue. Skipping..." error in the Logstash log, however the message is still not indexed into Elasticsearch.

Anyone?

Topic		Replies	Views
Logstash DLQ dir empty, but all events end up duplicated in the Elasticsearch's dlq index Logstash	1	231	September 14, 2022
No events in DLQ Logstash	7	2700	August 23, 2017
DLQ Processing Logstash	2	570	January 3, 2023
Error in processing events from DLQ Logstash	3	1965	April 26, 2018
DLQ pipeline not showing fields added in the filter section of the Logstash pipeline in the datastream Logstash	3	427	September 10, 2021

Dead Letter Queue (DLQ) issue

Related topics