Hi,
ignore_older concept is not working in our use case.
Please find the below our use case :
- We took a backup of the Elasticsearch folder installed on your Windows server at 10 AM on May 15, 2024.
- Elasticsearch (ES), Filebeat, and Logstash continued to work and push data to ES until 12 AM on May 15, 2024.
- At 12 AM, we deleted the entire ES folder.
- We restored the backup of ES that was taken at 10 AM on May 15, 2024.
- After refreshing the backup ES, we could see the data saved until 10 AM on May 15, 2024.
- The Filebeat log file contains monitor and harvested information until 12 PM.
- we require to retrieve the missing data between 10 AM and 12 PM.
- We set
ignore_older: 2h
in the Filebeat configuration (filebeat.yml
). - However, after restarting Filebeat and Logstash, it is not pushing the missing data, and there are no errors in the log file; only monitor entries are present.
Can you please provide your suggestion on this issue?
shared the filebeat.yml file for your reference.
=========================== Filebeat inputs =============================
filebeat.inputs:
- type: log
enabled: true
paths:
- C:\LIMSAudit\AuditTextFilePath\\specimen-*.json
fields: {log_type: specimen}
ignore_older: 2h
- type: log
enabled: true
paths:
- C:\LIMSAudit\AuditTextFilePath\\useractivity-*.json
fields: {log_type: useractivity}
ignore_older: 2h
type: log
enabled: true
paths:
- C:\LIMSAudit\AuditTextFilePath\\order-*.json
fields: {log_type: order}
ignore_older: 2h
- type: log
enabled: true
paths:
- C:\LIMSAudit\AuditTextFilePath\\profile-*.json
fields: {log_type: profile}
ignore_older: 2h
[/quote]