Hi all,
I am using the elasticsearch filter plugin on 5.5 for a configuration and using the tag_on_failure option to do additional sorting. When does the tag_on_failure option trigger? I know it counts as a failure when there is no such index to search from. But is it supposed to trigger when it can not find the specified event?
I am testing this using this config:
input {
file {
....
}
}
filter {
json {
source => "message"
}
date {
match => ["startDateTime", "yyyy-MM-dd'T'HH:mm:ss'Z'"]
}
ruby {
code => "event.set('epoc', event.get('@timestamp').to_i * 1000)"
}
elasticsearch {
hosts => ["localhost:9200"]
index => "myindex"
query => "@timestamp:%{epoc}"
fields => {"newfield" => "olddata"}
tag_on_failure => ["_elasticsearch_lookup_failure"]
add_field => {"status" => "success"}
}
}
output {
stdout{codec => rubydebug {metadata => true}}
}
I have manually checked that the event's timestamp getting ingested by the file input does not correspond to any event in the index I am searching against. In other words, the elasticsearch filter will for sure not find any event on query.
Does the plugin not fail if it can't find an old event?
Thanks