I am experiencing an issue with Filebeat where, after an index rollover, the new index shows 0 documents, and no data seems to be indexed. Here are the details of my setup:'
Filebeat Configuration:
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/*.log
multiline.type: pattern
multiline.pattern: ^d{4}-d{2}-d{2} d{2}:d{2}:d{2}
multiline.negate: true
multiline.match: after
filebeat.config.modules:
path: ${path.config}/modules.d/*.yml
reload.enabled: false
setup.ilm.enabled: false
setup.template.enabled: false
setup.template.settings:
index.number_of_shards: 1
setup.kibana:
host: '$elk_host_public_ip:5601'
username: 'elastic'
password: 'password'
output.elasticsearch:
hosts: ["http://elasticsearch-host:9200"]
username: 'elastic'
password: 'password'
index: "rollover-7.17.8-%{+yyyy.MM.dd}-000001"
http.enabled: true
http.port: 5067
http.host: localhost
monitoring.enabled: true
processors:
- add_host_metadata:
when.not.contains.tags: forwarded
- add_cloud_metadata: ~
- add_docker_metadata: ~
- add_kubernetes_metadata: ~
logging.level: info
logging.to_files: true
logging.files:
path: /var/log/filebeat
name: filebeat
keepfiles: 3
permissions: 0640
seccomp:
default_action: allow
syscalls:
- action: allow
names:
- rseq
name: 'project_name'
tags: ['project_name']
' > /etc/filebeat/filebeat.yml
ILM Policy is:-
PUT _ilm/policy/rollover
{
"policy": {
"phases": {
"hot": {
"min_age": "0ms",
"actions": {
"rollover": {
"max_age": "10m",
"max_docs": 10
},
"set_priority": {
"priority": 100
}
}
},
"delete": {
"min_age": "10m",
"actions": {
"delete": {
"delete_searchable_snapshot": true
}
}
}
}
}
}