Hi Folks,
I am facing an issue with a ILM enabled logstash pipeline. Let me describe my objective. So I have created a logstash pipeline that has upsert feature to update/insert documents in the elasticsearch index. My another requirement is to enable the ILM policy for that index. As we know that for ILM policy we generally need to create a data stream but as data stream has only the "create" option that is why I used an alternative approach as below.
- Created ILM Policy
PUT _ilm/policy/ilm_policy_test_and_delete
{
"policy": {
"phases": {
"hot": {
"min_age": "0ms",
"actions": {
"rollover": {
"max_size": "50gb",
"max_age": "7d"
},
"set_priority": {
"priority": 100
}
}
},
"warm": {
"actions": {
"set_priority": {
"priority": 50
}
}
},
"delete": {
"min_age": "365d",
"actions": {
"delete": {
"delete_searchable_snapshot": true
}
}
}
}
}
}
- Created Index template
PUT _index_template/index_template_test_and_delete
{
"index_patterns": ["test_and_delete-*"],
"template": {
"settings": {
"number_of_shards": 1,
"number_of_replicas": 1,
"index.lifecycle.name": "ilm_policy_test_and_delete",
"index.lifecycle.rollover_alias": "test_and_delete"
}
}
}
- Bootstraped index
PUT test_and_delete-2024-05-03-000001
{
"aliases": {
"test_and_delete": {
"is_write_index": true
}
}
}
4 And then started my logstash pipeline, having the below Output plugin configuration:
output {
if [type] == "test_and_delete" {
elasticsearch {
hosts => ["${ES_HOST1}","${ES_HOST2}","${ES_HOST3}"]
index => "test_and_delete"
document_id => "%{[@metadata][_id]}"
user => "${ES_USER}"
password => "${ES_PASSWORD}"
doc_as_upsert => true
action => "update"
manage_template => true
ilm_rollover_alias => "test_and_delete"
ilm_pattern => "{now/d}-000001"
ilm_policy => "ilm_policy_test_and_delete"
}
}
}
But when I started the pipeline it is throwing the below error continuously --
[2024-05-03T05:54:43,346][ERROR][logstash.outputs.elasticsearch][main][e60ee26ef629e7dbe4db94c41156641c2c467ca0257882fe1031cc13b8662410] Elasticsearch setup did not complete normally, please review previously logged errors {:message=>"Got response code '403' contacting Elasticsearch at URL '
http://xxx.xx.x.xxx:9200/test_and_delete'"
, :exception=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::BadResponseCodeError}
however, data is being added in the index "test_and_delete-2024-05-03-000001".
Hope I am able to explain the objective and the issue. If you need any further information, please do let me know.
Why I am getting the error? How to resolve it?
My ELK Version is: 7.11.1
Please help!
Kind regards,
Souvik