Logs already in Elasticsearch, how to parse?

Feldunoob · July 4, 2019, 10:09am

Hello,

Currently upgraded to 7.2 i am starting to use ELK, and trying to get efficiently.
I didn't notice fast enough that I could use Grok with filebeats, and send to logstash which sends afterwards to Elasticsearch.

So now, some logs (~50Gb) are actually already stored in elasticsearch and I need to parse the message tags values since I didn't do it beforehand.
Is there any way to parse the data that are already on it, so I could make visualizations efficiently afterwards ?

I swear, next time i'll use Grok patterns directly from filebeat to logstash beforehand !

Thanks

Christian_Dahlqvist · July 4, 2019, 11:19am

You should be able to use the reindex api together with an ingest pipeline.

system · August 1, 2019, 11:20am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Loading dumped non-parsed ES data to Logstash Logstash	2	431	July 11, 2017
How Can I parse logs that are already indexed in elasticsearch with logstash? Logstash	4	1096	February 28, 2019
Ingesting Elasticsearch Logs Logstash	1	575	July 6, 2017
Parsing the logs Beats filebeat	8	3440	January 8, 2018
How to do log parsing Beats filebeat	2	293	March 15, 2022

Logs already in Elasticsearch, how to parse?

Related topics