Do these "could not index" errors actually end up in Elastic anywhere?

I've noticed quite a few of these errors with the elastic output plugin in /var/log/logstash/logstash-plain.log:

"Could not index event to Elasticsearch. {:status=>400, :action=>["create", ...

The solution to fix the error itself is pretty well-documented. I'm concerned about how to monitor and address these issues as they appear.

When a log isn't able to be indexed like this, does a summary of the error get index into Elastic? Or would I need to come up with my own solution to proactively fix these errors?

Like sending this log to elastic myself (with a grok pattern to properly parse the logs, if a plugin isn't available), or writing some sort of a script to periodically grep the log?

Hi @ckes Have you looked at the Dead Letter Queue?

exactly what I need! I'll see if it's enabled now or not. Thanks!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.