Logstash does not create logstash-* indices in ES

ehsank777 · September 9, 2019, 11:07am

Hi,
Since we upgraded ELK to the version 7.2 , we faced a problem. logstash is creating indices with other names except logstash-yyyy.mm.dd format . In other words within logstash.conf we have

output {
    if "foo" in [tags] {
            elasticsearch { index => "foo-%{+YYYY.MM.dd}" }
    } else if "bar" in [tags] {
            elasticsearch { index => "bar-%{+YYYY.MM.dd}" }
    } else {
            elasticsearch { }
    }

it means if neither of "foo" or "bar" in tags, logs should be created under default indexing name, logstash-* but they don't. For example , from old logstash we have logstash-2019.09.05 in ES but after update on 2019.09.06 , we have nothing. I already tried deleting logstash template with
curl -XDELETE http://localhost:9200/_template/logstash
but it did not work.

system · October 7, 2019, 11:07am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.