Hello to you all,
I have an issue, my logs were being pushed and view-able into kibana until I made pipeline update, I am using:
Elastic search 5.4.0
Filebeat 5.3.1
Kibana not sure but it must be 5.4.0 too, I did not set the environment up…
So, in short, my logs were being pushed fine, but when I wanted to update my grok pattern, I made a pipeline update thru my postman successfully (Just the same way I created it), then I am not seeing my logs in kibana anymore, I can see that the logs are being pushed while tailing the filebeat log, but when I refresh kibana, I don’t see my logs anymore. Please tell me what could be the reason?
One might think it is the grok pattern update that cause this, but even when I update the pipeline as it was when the logs were being sent into kibana, it still does not work.. What is the best way to updated a pipeline?
Here is my pipeline update “PUT” request payload, and I am sending it to: {{host}}/_ingest/pipeline/xyz_pipeline
Please note that after a lot of troubleshooting on server, I installed everything locally, elasticsearch, kibana and filebeat, ALL 5.5.1, and the behavior is same. I reconfigured the logging for all these tools, but still not able to figure out what is going on to not see the logs once I make a pipeline update.
++++++++++++
{
"description" : "xyz log pipeline",
"processors": [
{
"gsub": {
"field": "message",
"pattern": "\n",
"replacement": "\\n"
}
},
{
"grok": {
"field": "message",
"patterns": ["%{TIMESTAMP_ISO8601:log.datetime} \%{DATA:log.level}\ \[%{DATA:log.module}\] %{GREEDYDATA:log.message}"],
"on_failure": [
{
"set":{
"field": "ingestError",
"value": "{{ _ingest.on_failure_message }}"
}
},
{
"set":{
"field": "log.datetime",
"value": "{{ @timestamp }}"
}
}
]
}
}
]
}
+++++++++++++++++++++++++++++++++++
I can see this being printed out in my filebeat log, which tells me (I think) that the logs are being pushed to elastic:
2017-08-11T12:16:37-04:00 INFO Non-zero metrics in the last 30s: filebeat.harvester.open_files=1 filebeat.harvester.running=1 filebeat.harvester.started=1 libbeat.es.call_count.PublishEvents=1 libbeat.es.publish.read_bytes=1804 libbeat.es.publish.write_bytes=136541 libbeat.es.published_and_acked_events=1 libbeat.publisher.published_events=1 publish.events=10 registrar.states.current=153 registrar.states.update=10 registrar.writes=2
Advice appreciated…