czome
August 15, 2018, 9:32am
1
Hello,
I don't understand why my logstash config don't save data in ES. My data comes from an xml file and here is my pipeline conf :
input {@LogResult ", "logResult",@FileName ", "fileName",@DateImport ", "importDate",@ImportType ", "importType",@ImportFormat ", "importFormat",@username ", "username"@lineNumber ", "lineNumber",@lineState ", "lineState",
czome:
index => "myWorkIndex"
Index names must be lower case. You should be able to see something about this in the Elasticsearch logs.
czome
August 15, 2018, 9:38am
3
Thank for your reactivity, but even if i don't specify index name ,no change. It will create default index (logstash-$date) but with no data.
What is the output of the cat indices API ?
czome
August 15, 2018, 9:59am
5
As you see my index was created, but when i request this index , i see no hits.
There is data in the index, so it looks like your query may be wrong. Try q=response:200 instead.
czome
August 15, 2018, 10:06am
7
As i sended in this picture , you will see no "hits". no data in my hits collection :
I'm sure that something is wrong in my filebeat config or logstash config.
Your query is still q=response=200 which is not the example I gave.
Do you even have a field named response in your data? Can you show a full document from that index?
czome
August 15, 2018, 12:06pm
11
No i haven't field "response", here is my origin xml document :
<?xml version="1.0" encoding="utf-8"?>
<ImportLogs LogResult="SUCCESS" ExecTime="00:00:02.424" FileName="filename.csv" ignored="17" valid="62" alert="0" error="0" DateImport="2018-06-13T09:03:24Z" ImportMode="InsertUpdate" user="Tutu Toto" username="tutu.qiqi@gmail.com" ImportType="Organisation" ImportFormat="Organisations">
<GeneralLog />
<LineLogs>
<linelog lineNumber="11" lineState="Ignored">
<log type="Warning">
<message>L'individu "tutu franck" n'existe pas</message>
</log>
</linelog>
<linelog lineNumber="14" lineState="Ignored">
<log type="Warning">
<message>L'individu "Juju.Huhu.23544.20382807" n'existe pas</message>
</log>
</linelog>
</LineLogs>
</ImportLogs>
That is what your query is searching for, so it is then not surprising it does not find any results.
czome
August 15, 2018, 3:48pm
13
Sorry, can you explain your answer please ?
Why this output don't flush in ElasticSearch ?
Here is my elasticSearch screen shot :
And my xml is :
<?xml version="1.0" encoding="utf-8"?>
<ImportLogs LogResult="SUCCESS" ExecTime="00:00:02.424" FileName="ORG.csv" ignored="17" valid="62" alert="0" error="0" DateImport="2018-06-13T09:03:24Z" ImportMode="InsertUpdate" user="Tutu Kiki" username="tutu.kiki@gmail.com" ImportType="Organisation" ImportFormat="Organisations">
<GeneralLog />
<LineLogs>
<linelog lineNumber="11" lineState="Ignored">
<log type="Warning">
<message>L'individu "Tutu.Franck.31966.20381925" n'existe pas</message>
</log>
</linelog>
<linelog lineNumber="14" lineState="Ignored">
<log type="Warning">
<message>L'individu "Laura.Beffa.23544.20382807" n'existe pas</message>
</log>
</linelog>
</LineLogs>
</ImportLogs>
What's wrong in my logstash conf ? or filebeat.yml conf please ?
There is not necessarily anything wrong with your Logstash or Filebeat config. It is your query that is wrong as you are searching for something that does not match any documents. Try with a query that matches all documents in Elasticsearch: q=*:*
czome
August 15, 2018, 5:04pm
15
Very good, it was my problem. Sorry, i'm starting on ELK.
system
September 12, 2018, 5:04pm
16
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
