Index logstash (Delete)

asalma · May 7, 2018, 2:34pm

Hello again,

I delete logstash index with DELETE methode and I want to get it back, how can I do this ?

Christian_Dahlqvist · May 7, 2018, 2:42pm

Unless you have a snapshot you can restore from, there is no way to undo a delete.

asalma · May 7, 2018, 2:45pm

I don't want to undo the delete, but add the index an other time

magnusbaeck · May 7, 2018, 2:46pm

Where did the data come from in the first place, i.e. what inputs do you have in your Logstash configuration?

asalma · May 7, 2018, 2:55pm

input {
beats {
port => "5044"
}

}
filter {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{HOSTNAME:hostname} %{GREEDYDATA:csv_data}"}
}
csv {
source => "csv_data"
columns => [ "src_ip","dst_ip","rule_name","src_zone","dst_zone","src_int","dst_int","port","protocol","action" ]
}
}

output {
elasticsearch {
hosts => [ "localhost:9200"]
}
stdout { codec => rubydebug }
}

the other problem is that when i push logs with filebeat, i can't see the filter, i see just beat.hostname, id_ , index_ ......

magnusbaeck · May 7, 2018, 5:33pm

You have to make Filebeat resend the data, e.g. by shutting down Filebeat, deleting the registry file, and starting it again.

the other problem is that when i push logs with filebeat, i can't see the filter, i see just beat.hostname, id_ , index_ ......

I don't understand what you mean. Please show examples instead of attempting to describe what you believe happens.

asalma · May 9, 2018, 7:14am

For example I want to apply the filter on a line of logs, but, I can't see the fields that I put in the filter appear !!

magnusbaeck · May 9, 2018, 8:18am

I think you've configured Filebeat to send directly to Elasticsearch, bypassing Logstash completely.

asalma · May 9, 2018, 9:30am

I change the configuration, ant the problem now is that logstash don't send logs to elasticsearch :

curl -XGET 'localhost:9200/filebeat-6.2.4-2018.05.09/_search?pretty&q=response=200'
{
"took" : 11,
"timed_out" : false,
"_shards" : {
"total" : 3,
"successful" : 3,
"skipped" : 0,
"failed" : 0
},
"hits" : {
"total" : 0,
"max_score" : null,
"hits" : [ ]
}
}

magnusbaeck · May 9, 2018, 10:55am

With the configuration you posted earlier Logstash won't post to filebeat-6.2.4-2018.05.09 but rather logstash-2018.05.09.

asalma · May 9, 2018, 11:57am

Thank you, I can see it

system · June 6, 2018, 11:57am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filebeats(5.40) keeps on recreating the indices after deletion Beats filebeat	8	1047	April 3, 2018
Couldn't find any Elasticsearch data after deleting indexes Logstash	1	372	April 11, 2019
Filebeat not reading the already processed log file again Beats filebeat	3	1529	May 17, 2019
Logstash keep logging into default index Logstash	6	1127	July 6, 2017
Unable to index data coming from filebeat to elasticsearch Elasticsearch	2	402	June 10, 2020

Index logstash (Delete)

Related Topics