Dead Letter Queue (DLQ) issue

kernelpanic · August 30, 2018, 5:46pm

Hello,

I'm using Logstash 6.3.2 and I've enabled the DLQ but it doesn't appear to be indexing the events back into Elasticsearch; the log files in the DLQ data directory just keep growing and all i'm seeing in logstash-plain.log is:

[WARN ][org.logstash.common.io.DeadLetterQueueWriter] Event previously submitted to dead letter queue. Skipping...

I have the following in my logstash.conf file to repair the DLQ messages so they can be indexed into Elasticsearch:

if "dlq" in [tags] {
      mutate {
        convert => {
          "src_ip" => "string"
          "dst_ip" => "string"
       }          
     }
    }

However the repaired messages I'm expecting to see in Elasticsearch aren't there.

Can anyone help?

kernelpanic · August 31, 2018, 10:02am

If I remove the problematic fields as below:

if "dlq" in [tags] {
     mutate { remove_field => [ "src_ip", "dst_ip" ] } 
     }

I no longer see the "Event previously submitted to dead letter queue. Skipping..." error in the Logstash log, however the message is still not indexed into Elasticsearch.

Anyone?

system · September 28, 2018, 10:02am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.