Elasticsearch not showing filebeat index template

Meghna_Mane · June 1, 2018, 5:02am

Hi,
I have just setup filebeat, ELK for prod.
I have load filebeat manually using following command and it acknowledges true:
curl -H 'Content-Type: application/json' -XPUT 'http://<ES_IP>:9200/_template/filebeat' -d@/etc/filebeat/filebeat.template.json

But if I curl -X GET "<ES_IP>:9200/_cat/indices" its not showing filebeat, and why it is showing logstash?

green  open  .monitoring-es-6-2018.05.25   U6vNNgfARdG83IUHrTjdrg 1 0   1125 8 703.8kb 703.8kb
green  open  .watches                      q8SQ6fcKTPau1p3GgTH01A 1 0      6 0  41.7kb  41.7kb
yellow open  logstash-2018.05.31           JGfOQY3MRf2fIWqzSCCZmw 5 1 173272 0  57.8mb  57.8mb
green  open  .triggered_watches            SbD-N8wDSNi3yijNy2omxQ 1 0      0 0  24.5kb  24.5kb
yellow open  logstash-2018.06.01           GoCGlN0qTJeSgmK1Pv8fHQ 5 1  28365 0  19.4mb  19.4mb
green  open  .kibana                       3s5qoOdXQDuJzv0BMPJ05w 1 0    144 2 155.7kb 155.7kb
       close .watcher-history-7-2018.05.25 JA-u0fabQdSWgaVrPxu7ig

was I miss anything? or is there any another method to load index template?

dadoonet · June 1, 2018, 5:46am

Are you sending your filebeat data to Logstash?

Meghna_Mane · June 1, 2018, 5:57am

Yes, I have configure Filebeat output to send logs to logstash
filebeat.yml
#----------------------------- Logstash output --------------------------------
output.logstash:
# The Logstash hosts
hosts: ["<logstash_IP>:5044"]

Just adding version details
filebeat version 6.2.4 (amd64), libbeat 6.2.4

bin/elasticsearch -V
Version: 6.2.4,

/bin/logstash -V
logstash 6.2.4

bin/kibana -V
6.2.4

dadoonet · June 1, 2018, 7:05am

So it means that data is collected by filebeat then processed by logstash then sent by logstash to elasticsearch.

That's why the index is named logstash-* as logstash is generating the data to Elasticsearch.

Out of curiosity, why are you using logstash instead of sending data directly to elasticsearch from filebeat?

Meghna_Mane · June 1, 2018, 7:28am

whatever I read about ELK stack
Logstash change unstructured data to structure data with grok, also provides geo coordinates from IP addresses.

but I have loaded filebeat index template to elasticsearch.
Then why it is not showing?

dadoonet · June 1, 2018, 8:04am

Logstash change unstructured data to structure data with grok, also provides geo coordinates from IP addresses.

Elasticsearch can do that as well with ingest pipelines.
Filebeat provides ingest pipelines out of the box when you setup the right modules.
But you can do that manually if you prefer.

Anyway, I'd recommend then to just create an ingest pipeline in elasticsearch and send the data from filebeat to elasticsearch directly which is the OOTB defaults.

I'd recommend reading this: Filebeat quick start: installation and configuration | Filebeat Reference [8.11] | Elastic

system · June 29, 2018, 8:04am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.