Occasionally, my logstash receives a message from few days back, and logstash tries to write it into an index which was already marked as readonly and forcemerged. Logstash then receives a 403 error from Elasticsearch, and instead of dropping the message or placing it into DLQ, it keeps retrying it.
Eventually, these undeliverable messages clog up the output queue completely, and no valid events are emitted afterwards.
I submitted a bug report already, but there seems to be no activity on it:
[ERROR][logstash.filters.ruby ] Ruby exception occurred: comparison of LogStash::Timestamp with Time failed
I also tried to follow this answer, but in my environment, installing additional plugins like age{} is a lengthy process requiring aprovals, so I'd prefer to avoid that:
Is there an easy way to use the Ruby filter to achieve this?
Thanks
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.