Index logstash (Delete)

asalma · May 7, 2018, 2:34pm

Hello again,

I delete logstash index with DELETE methode and I want to get it back, how can I do this ?

Christian_Dahlqvist · May 7, 2018, 2:42pm

Unless you have a snapshot you can restore from, there is no way to undo a delete.

asalma · May 7, 2018, 2:45pm

I don't want to undo the delete, but add the index an other time

magnusbaeck · May 7, 2018, 2:46pm

Where did the data come from in the first place, i.e. what inputs do you have in your Logstash configuration?

asalma · May 7, 2018, 2:55pm

input {
beats {
port => "5044"
}

}
filter {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{HOSTNAME:hostname} %{GREEDYDATA:csv_data}"}
}
csv {
source => "csv_data"
columns => [ "src_ip","dst_ip","rule_name","src_zone","dst_zone","src_int","dst_int","port","protocol","action" ]
}
}

output {
elasticsearch {
hosts => [ "localhost:9200"]
}
stdout { codec => rubydebug }
}

the other problem is that when i push logs with filebeat, i can't see the filter, i see just beat.hostname, id_ , index_ ......

magnusbaeck · May 7, 2018, 5:33pm

You have to make Filebeat resend the data, e.g. by shutting down Filebeat, deleting the registry file, and starting it again.

the other problem is that when i push logs with filebeat, i can't see the filter, i see just beat.hostname, id_ , index_ ......

I don't understand what you mean. Please show examples instead of attempting to describe what you believe happens.

asalma · May 9, 2018, 7:14am

For example I want to apply the filter on a line of logs, but, I can't see the fields that I put in the filter appear !!

magnusbaeck · May 9, 2018, 8:18am

I think you've configured Filebeat to send directly to Elasticsearch, bypassing Logstash completely.

asalma · May 9, 2018, 9:30am

I change the configuration, ant the problem now is that logstash don't send logs to elasticsearch :

curl -XGET 'localhost:9200/filebeat-6.2.4-2018.05.09/_search?pretty&q=response=200'
{
"took" : 11,
"timed_out" : false,
"_shards" : {
"total" : 3,
"successful" : 3,
"skipped" : 0,
"failed" : 0
},
"hits" : {
"total" : 0,
"max_score" : null,
"hits" : [ ]
}
}

magnusbaeck · May 9, 2018, 10:55am

With the configuration you posted earlier Logstash won't post to filebeat-6.2.4-2018.05.09 but rather logstash-2018.05.09.

asalma · May 9, 2018, 11:57am

Thank you, I can see it

system · June 6, 2018, 11:57am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.