I am unable to use logstash to load csv files to elastic search

lungelo_zondo · December 5, 2018, 9:23am

I get this on CMD but no data can be seen on elastic search.

C:\Users\zondol\logstash-6.5.1\bin>logstash -f /Users/zondol/data/logstash.config
Sending Logstash logs to C:/Users/zondol/logstash-6.5.1/logs which is now configured via log4j2.properties
[2018-12-05T10:57:47,336][WARN ][logstash.config.source.multilocal] Ignoring the 'pipelines.yml' file because modules or command line options are specified
[2018-12-05T10:57:47,376][INFO ][logstash.runner ] Starting Logstash {"logstash.version"=>"6.5.1"}
[2018-12-05T10:57:51,910][WARN ][logstash.outputs.elasticsearch] You are using a deprecated config setting "document_type" set in elasticsearch. Deprecated settings will continue to work, but are scheduled for removal from logstash in the future. Document types are being deprecated in Elasticsearch 6.0, and removed entirely in 7.0. You should avoid this feature If you have any questions about this, please visit the #logstash channel on freenode irc. {:name=>"document_type", :plugin=><LogStash::Outputs::ElasticSearch index=>"originId", id=>"8a6346c13634a5b1aaa45ade0aaac38f25c357c32deb97891c8c98e50ee5ee1e", hosts=>[//localhost:9200], document_type=>"output_input_log", enable_metric=>true, codec=><LogStash::Codecs::Plain id=>"plain_899f2dec-e50a-412a-8222-84d07db3c047", enable_metric=>true, charset=>"UTF-8">, workers=>1, manage_template=>true, template_name=>"logstash", template_overwrite=>false, doc_as_upsert=>false, script_type=>"inline", script_lang=>"painless", script_var_name=>"event", scripted_upsert=>false, retry_initial_interval=>2, retry_max_interval=>64, retry_on_conflict=>1, action=>"index", ssl_certificate_verification=>true, sniffing=>false, sniffing_delay=>5, timeout=>60, pool_max=>1000, pool_max_per_route=>100, resurrect_delay=>5, validate_after_inactivity=>10000, http_compression=>false>}
[2018-12-05T10:57:54,340][INFO ][logstash.pipeline ] Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>4, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50}
[2018-12-05T10:57:55,006][INFO ][logstash.outputs.elasticsearch] Elasticsearch pool URLs updated {:changes=>{:removed=>, :added=>[http://localhost:9200/]}}
[2018-12-05T10:57:55,024][INFO ][logstash.outputs.elasticsearch] Running health check to see if an Elasticsearch connection is working {:healthcheck_url=>http://localhost:9200/, :path=>"/"}
[2018-12-05T10:57:55,331][WARN ][logstash.outputs.elasticsearch] Restored connection to ES instance {:url=>"http://localhost:9200/"}
[2018-12-05T10:57:55,422][INFO ][logstash.outputs.elasticsearch] ES Output version determined {:es_version=>6}
[2018-12-05T10:57:55,429][WARN ][logstash.outputs.elasticsearch] Detected a 6.x and above cluster: the type event field won't be used to determine the document _type {:es_version=>6}
[2018-12-05T10:57:55,472][INFO ][logstash.outputs.elasticsearch] New Elasticsearch output {:class=>"LogStash::Outputs::ElasticSearch", :hosts=>["//localhost:9200"]}
[2018-12-05T10:57:55,496][INFO ][logstash.outputs.elasticsearch] Using mapping template from {:path=>nil}
[2018-12-05T10:57:55,526][INFO ][logstash.outputs.elasticsearch] Attempting to install template {:manage_template=>{"template"=>"logstash-", "version"=>60001, "settings"=>{"index.refresh_interval"=>"5s"}, "mappings"=>{"default"=>{"dynamic_templates"=>[{"message_field"=>{"path_match"=>"message", "match_mapping_type"=>"string", "mapping"=>{"type"=>"text", "norms"=>false}}}, {"string_fields"=>{"match"=>"", "match_mapping_type"=>"string", "mapping"=>{"type"=>"text", "norms"=>false, "fields"=>{"keyword"=>{"type"=>"keyword", "ignore_above"=>256}}}}}], "properties"=>{"@timestamp"=>{"type"=>"date"}, "@version"=>{"type"=>"keyword"}, "geoip"=>{"dynamic"=>true, "properties"=>{"ip"=>{"type"=>"ip"}, "location"=>{"type"=>"geo_point"}, "latitude"=>{"type"=>"half_float"}, "longitude"=>{"type"=>"half_float"}}}}}}}}
[2018-12-05T10:57:56,419][INFO ][logstash.pipeline ] Pipeline started successfully {:pipeline_id=>"main", :thread=>"#<Thread:0x69afc614 run>"}
[2018-12-05T10:57:56,525][INFO ][logstash.agent ] Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>}
[2018-12-05T10:57:56,537][INFO ][filewatch.observingtail ] START, creating Discoverer, Watch with file and sincedb collections
[2018-12-05T10:57:57,078][INFO ][logstash.agent ] Successfully started Logstash API endpoint {:port=>9600}

balumurari1 · December 5, 2018, 9:27am

hello,
if you could provide the input code it will be easy to provide the solution for you.

Regards.

lungelo_zondo · December 5, 2018, 9:28am

Hi balumari1,

Thanks for replying, please see below.

input {
file {
path => "C:/Users/zondol/data/log_file.csv"
start_position => "beginning"
sincedb_path => "nul"

}

filter {

    csv {

       separator => ","

       columns => ["originId","userId ","queryType","neStream ","neManager","neId","subscriberId","subscriberIdType"]
    }

}

output {

elasticsearch{

 hosts => ["localhost:9200"]
 index => "originId"
 document_type => "output_input_log"
}


stdout {}

}

balumurari1 · December 5, 2018, 9:31am

in filter section remove the spaces for the field for "userId ","neStream " as shown below

columns => ["originId","userId ","queryType","neStream ","neManager","neId","subscriberId","subscriberIdType"]

to

columns => ["originId","userId","queryType","neStream","neManager","neId","subscriberId","subscriberIdType"]

saeed · December 5, 2018, 9:32am

Hi
I had same problem and changed host:
hosts => ["localhost:9200"]
to this:
hosts => "localhost"
My load was successful.
Maybe it works for you too.

balumurari1 · December 5, 2018, 9:33am

here is sample example,

input {
file {
path => "D:/Balu/ELK-stack/csvfile.csv"
start_position => "beginning"
sincedb_path => "NUL"
}
}
filter {
csv {
separator => ","
columns => ["open","high","low","close","volume"]
}
}
output {
elasticsearch {
hosts => "http://localhost:9200"
index => "wallet-address-index"
}
stdout { codec => rubydebug }
}

lungelo_zondo · December 5, 2018, 11:36am

Thanks guys , I have tried all but still getting this below

C:\Users\zondol\logstash-6.5.1\bin>logstash -f /Users/zondol/data/logstash.config
Sending Logstash logs to C:/Users/zondol/logstash-6.5.1/logs which is now configured via log4j2.properties
[2018-12-05T13:32:30,808][WARN ][logstash.config.source.multilocal] Ignoring the 'pipelines.yml' file because modules or command line options are specified
[2018-12-05T13:32:30,836][INFO ][logstash.runner ] Starting Logstash {"logstash.version"=>"6.5.1"}
[2018-12-05T13:32:36,491][WARN ][logstash.outputs.elasticsearch] You are using a deprecated config setting "document_type" set in elasticsearch. Deprecated settings will continue to work, but are scheduled for removal from logstash in the future. Document types are being deprecated in Elasticsearch 6.0, and removed entirely in 7.0. You should avoid this feature If you have any questions about this, please visit the #logstash channel on freenode irc. {:name=>"document_type", :plugin=><LogStash::Outputs::ElasticSearch index=>"originId", id=>"8c0b3cc9c442b1b14c7c56239c7dec3b6991e95b8d32afffe061fb5c8309440c", hosts=>[http://localhost:9200], document_type=>"output_input_log", enable_metric=>true, codec=><LogStash::Codecs::Plain id=>"plain_5756dfcb-24ed-42cf-b775-120e8d4a99dd", enable_metric=>true, charset=>"UTF-8">, workers=>1, manage_template=>true, template_name=>"logstash", template_overwrite=>false, doc_as_upsert=>false, script_type=>"inline", script_lang=>"painless", script_var_name=>"event", scripted_upsert=>false, retry_initial_interval=>2, retry_max_interval=>64, retry_on_conflict=>1, action=>"index", ssl_certificate_verification=>true, sniffing=>false, sniffing_delay=>5, timeout=>60, pool_max=>1000, pool_max_per_route=>100, resurrect_delay=>5, validate_after_inactivity=>10000, http_compression=>false>}
[2018-12-05T13:32:38,931][INFO ][logstash.pipeline ] Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>4, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50}
[2018-12-05T13:32:39,588][INFO ][logstash.outputs.elasticsearch] Elasticsearch pool URLs updated {:changes=>{:removed=>, :added=>[http://localhost:9200/]}}
[2018-12-05T13:32:39,624][INFO ][logstash.outputs.elasticsearch] Running health check to see if an Elasticsearch connection is working {:healthcheck_url=>http://localhost:9200/, :path=>"/"}
[2018-12-05T13:32:39,986][WARN ][logstash.outputs.elasticsearch] Restored connection to ES instance {:url=>"http://localhost:9200/"}
[2018-12-05T13:32:40,106][INFO ][logstash.outputs.elasticsearch] ES Output version determined {:es_version=>6}
[2018-12-05T13:32:40,124][WARN ][logstash.outputs.elasticsearch] Detected a 6.x and above cluster: the type event field won't be used to determine the document _type {:es_version=>6}
[2018-12-05T13:32:40,169][INFO ][logstash.outputs.elasticsearch] New Elasticsearch output {:class=>"LogStash::Outputs::ElasticSearch", :hosts=>["http://localhost:9200"]}
[2018-12-05T13:32:40,230][INFO ][logstash.outputs.elasticsearch] Using mapping template from {:path=>nil}
[2018-12-05T13:32:40,296][INFO ][logstash.outputs.elasticsearch] Attempting to install template {:manage_template=>{"template"=>"logstash-", "version"=>60001, "settings"=>{"index.refresh_interval"=>"5s"}, "mappings"=>{"default"=>{"dynamic_templates"=>[{"message_field"=>{"path_match"=>"message", "match_mapping_type"=>"string", "mapping"=>{"type"=>"text", "norms"=>false}}}, {"string_fields"=>{"match"=>"", "match_mapping_type"=>"string", "mapping"=>{"type"=>"text", "norms"=>false, "fields"=>{"keyword"=>{"type"=>"keyword", "ignore_above"=>256}}}}}], "properties"=>{"@timestamp"=>{"type"=>"date"}, "@version"=>{"type"=>"keyword"}, "geoip"=>{"dynamic"=>true, "properties"=>{"ip"=>{"type"=>"ip"}, "location"=>{"type"=>"geo_point"}, "latitude"=>{"type"=>"half_float"}, "longitude"=>{"type"=>"half_float"}}}}}}}}
[2018-12-05T13:32:41,205][INFO ][logstash.pipeline ] Pipeline started successfully {:pipeline_id=>"main", :thread=>"#<Thread:0x27e5bb63 run>"}
[2018-12-05T13:32:41,308][INFO ][logstash.agent ] Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>}
[2018-12-05T13:32:41,332][INFO ][filewatch.observingtail ] START, creating Discoverer, Watch with file and sincedb collections
[2018-12-05T13:32:41,836][INFO ][logstash.agent ] Successfully started Logstash API endpoint {:port=>9600}

saeed · December 5, 2018, 12:25pm

This is my config file and it works:
input {
file {
path => "C:/Data/booking/booking.csv"
start_position => "beginning"
#sincedb_path => "/dev/null"
}
}
filter {
csv {
separator => "|"
columns => ["hotelId","HotelName","City"]
remove_field => [ "host", "message", "path", "@timestamp", "@version" ]
}
}
output {
elasticsearch {
hosts => "localhost"
index => "booking"
document_type => "hotel"
}
stdout {}
}

Maybe problem is logstash and elasticsearch version! I think they should have same version. If your versions is different, try same version!

lungelo_zondo · December 5, 2018, 1:06pm

Did you comment out sincedb_path

lungelo_zondo · December 5, 2018, 1:09pm

The versions are the same , both 6.5.1

saeed · December 6, 2018, 5:06am

Yes. And after that it works!!! I don't know why.

saeed · December 6, 2018, 6:23am

I test it again and my load is fail now!!!
But when unpack logstash.zip again and use it without plugins I installed before it works.
Try this way, maybe that's it.

lungelo_zondo · December 6, 2018, 7:27am

It doesn't work for me

lungelo_zondo · December 6, 2018, 7:28am

I don't understand this part

saeed · December 6, 2018, 8:06am

I removed old logstash folder, and downloaded logstash-6.5.1 again and used it.
Try this way.

lungelo_zondo · December 6, 2018, 8:09am

let me try..thanks saed..you help is very appreciated

lungelo_zondo · December 6, 2018, 1:27pm

I got it right , I was saving my csv file as filename .csv so it couldn't recognize the file

system · January 3, 2019, 1:27pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.