Dead Letter Queue DLQ

cglencr · October 24, 2019, 6:45pm

I have searched but cannot find any documentation or discussion on how to test the DLQ in 7.4.

I have set the logstash.yml for DLQ as:
dead_letter_queue.enable: true
path.dead_letter_queue: "C:/Applications/ElasticSearch/DeadLetterQueue"

But how to test this works? All of the help on this site explains

that you can only use it with an ElasticSearch output.
message are only sent to the DLQ when a 400 or 403 occurs
has examples on how to input message that exist in a DLQ

So any advice on how to actually get a message to show up in the DLQ would be appreciated.

Badger · October 24, 2019, 7:51pm

You can force a 400 with a mapping exception. The following should get a mapping exception for otherField when it tries to send the second event to elasticsearch.

input { generator { count => 1 lines => [ 'object', 'not' ] } }
filter {
    mutate { add_field => { "someField" => '{ "foo": 1 }' } }
    json { source => "someField" target => "otherField" }
    if [message] == "not" {
        mutate { replace => { "otherField" => "just a string" } }
    }
}

system · November 21, 2019, 7:51pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.