When logstash posts even a single document to ElasticSearch, it takes about 4 minutes for it to show up in Kibana.
I installed the ELK stack (ES5.3) on a fresh Debian install on old hardware.
The machine has 8Gb RAM, a 2 Ghz AMD Athlon CPU and a 7200RPM drive (using the deadline scheduler because it performs best on this particular hardware.)
I've monitored the calls from LS to ES and those get sent pretty much instantly after LS receives the message.
I've also done some manual (CURL) posting through ES's API using "refresh=wait_for" switch.
The call returns in about 3 to 4 seconds.
However, before the data appears in Kibana takes about 4 minutes!
(Yes, I'm performing a wildcard search in the discover screen, every 5 minutes)
I read that data should be searchable after about 1 second on decent hardware.
My hardware may not be great but it seems to cope quite well. No bizarre CPU or disk usage.
My cluster state is yellow (there's only one instance of ES in "the cluster")
The memory locking warnings I used to have were solved and everything seems peachy.
But why this thing takes so long is beyond me.
I haven't been able to enable the index slow log. For some reason I can't make that work.
That seems pretty long, but much better than your four minutes. You might be better off asking on the Kibana forums though because that 3-4 seconds is the elasticsearch time. Everything else is "something else" time. Maybe Kibana? I'm not sure.
I've tried adding this to the log4j options too, but I don't get errors, nor a slowlog.
Also I've tried replacing the "index." part for the actual index name I'm interested in, yet to no avail.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.