Drop old messages using Ruby filter

programagor · October 11, 2018, 6:27am

Greetings

Occasionally, my logstash receives a message from few days back, and logstash tries to write it into an index which was already marked as readonly and forcemerged. Logstash then receives a 403 error from Elasticsearch, and instead of dropping the message or placing it into DLQ, it keeps retrying it.
Eventually, these undeliverable messages clog up the output queue completely, and no valid events are emitted afterwards.
I submitted a bug report already, but there seems to be no activity on it:

github.com/elastic/logstash

Logstash keeps retrying after receiving 403 Forbidden from Elasticsearch

opened 03:29PM - 26 Sep 18 UTC

closed 02:15PM - 30 Mar 21 UTC

programagor

defunct

When Logstash encounters the 403 error from Elasticsearch, it erroneously reatte…mpts to index the document. This document then keeps polluting the output queue, potentially reducing throughput of the entire pipeline. The correct behaviour is to either place the document into DLQ, or to drop the document entirely. From RFC 2616 - 10.4.4 403 Forbidden: > The server understood the request, but is refusing to fulfill it. Authorization will not help and the request SHOULD NOT be repeated. I encountered this problem when I set older indices to be read-only, and Logstash picked up some old logs and tried to write them into these old read-only indices. These messages are logged: ``` [2018-09-26T16:20:04,391][INFO ][logstash.outputs.elasticsearch] retrying failed action with response code: 403 ({"type"=>"cluster_block_exception", "reason"=>"blocked by: [FORBIDDEN/8/index write (api)];"}) [2018-09-26T16:20:04,391][INFO ][logstash.outputs.elasticsearch] Retrying individual bulk actions that failed or were rejected by the previous bulk request. {:count=>4} ``` - Version: 6.4.1 - Operating System: CentOS Linux release 7.4.1708 (Core), GNU/Linux 4.15.0-29-generic x86_64 - Config File (if you have sensitive info, please remove it) ``` node.name: xxxxx path.data: /var/lib/logstash path.logs: /opt/logstash/logs http.host: x.x.x.x http.port: 9600-9700 xpack.monitoring.enabled: true xpack.monitoring.elasticsearch.url: ["https://x.x.x.x:9200", ...] xpack.monitoring.elasticsearch.username: "logstash_system" xpack.monitoring.elasticsearch.password: "xxxxx" xpack.monitoring.elasticsearch.ssl.ca: /etc/logstash/certs/xxxxx-ca.crt xpack.management.enabled: true xpack.management.elasticsearch.url: ["https://x.x.x.x:9200", ...] xpack.management.elasticsearch.username: "logstash_admin" xpack.management.elasticsearch.password: "xxxxx" xpack.management.logstash.poll_interval: 5s xpack.management.pipeline.id: ["xxxxx"] xpack.management.elasticsearch.ssl.ca: /etc/logstash/certs/xxxxx-ca.crt dead_letter_queue.enable: true ``` - Steps to Reproduce: 1. Create index 1. Set `index_settings.index.blocks.write: True` 1. Write to the index using Logstash Associated discussion: https://discuss.elastic.co/t/make-logstash-drop-documents-on-403/149977

I tried using the following filter:

filter {
  ruby {
    init => "require 'time'"
    code => 'if event.get("[@timestamp]") < ( Time.now - 432000 )
      event.cancel
    end'
  }
}

However, using this, I get the following error:

[ERROR][logstash.filters.ruby    ] Ruby exception occurred: comparison of LogStash::Timestamp with Time failed

I also tried to follow this answer, but in my environment, installing additional plugins like age{} is a lengthy process requiring aprovals, so I'd prefer to avoid that:

Is there an easy way to use the Ruby filter to achieve this?
Thanks

programagor · October 19, 2018, 7:51am

I found a way:

ruby {
  init => "require 'time'"
  code => 'if LogStash::Timestamp.new(event.get("@timestamp")+432000) < ( LogStash::Timestamp.now)
    event.cancel
  end'
}

system · November 16, 2018, 7:51am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Make Logstash drop documents on 403 Logstash	9	1623	November 16, 2018
Logstash retries 404 instead of dropping - output stuck Logstash	4	783	December 22, 2022
Retrying individual bulk actions that failed or were rejected by the previous bulk request Elasticsearch	14	21287	August 1, 2018
Error FORBIDDEN/8/index write (api)] and Elasticsearch stop to receiving logstash bulk requests Logstash	8	5636	February 12, 2020
Interesting logstash behavior Logstash	2	1058	October 24, 2017

Drop old messages using Ruby filter

Related Topics