Logstash does not creates nor updates index on elasticsearch

Quentin_Moisy · March 31, 2023, 5:09pm

Hello, I new to the ELK flow and I have some issues with Logstash. Sometime my index will be populated sometime not. Furthermore it seems that logstash does not create index on elasticsearch. Can you help on that

My .conf file

input { 
     file {
   path => "C:/Work/elastic/log.csv"
   start_position => "beginning"
 }
} 

filter {
	csv {
		separator => ","
		columns => [
			"_time",
			"uid",
			"level"	
		]
	}
}
output { 
    
elasticsearch { 
        hosts => ["https://localhost:9200"]
        user => "elastic" 
        password => "password" 
	ssl_certificate_verification => false
	}

}

jba · March 31, 2023, 8:17pm

Read the documentation for the logstash-output-elasticsearch plugin. I think that you need to add a index => "......" somewhere in the elasticsearch {...} part to send the documents to your chosen index.

Rios · March 31, 2023, 8:26pm

If you don't specify index name your data will end up in index:

ECS Compatibility disabled: "logstash-%{+yyyy.MM.dd}"
ECS Compatibility enabled: "ecs-logstash-%{+yyyy.MM.dd}"
Default is v8 in 8.x version.

As Jan said, if you want separated index, just set:

elasticsearch { 
        hosts => ["https://localhost:9200"]
        index => "csvlog-%{+YYYY.MM.dd}"
        user => "elastic" 
        password => "password" 
	ssl_certificate_verification => false
	}

Quentin_Moisy · March 31, 2023, 8:55pm

My apologies I didn't sent the right .conf. In the right one I have

index => "idx"

but I still have the issues

Rios · March 31, 2023, 9:05pm

And again...
Since you have not set sincedb_path, it will be created and LS keeps tracking about read lines.

Option 1 Add sincedb_path => "NUL" (on Windows) bellow start_position, LS will not use the sincedb database file, on every LS restart will read from the beginning.

Option 2 Delete sincedb before everyrestart.

Quentin_Moisy · April 3, 2023, 3:41pm

I tried it again today and it works, thanks Rios.
The solution was to add sincedb_path => "NUL" bellow start_position as you mentioned.

input { 
     file {
       path => "C:/Work/elastic/log.csv"
       start_position => "beginning"
       sincedb_path => "NUL"
 }
}

system · May 1, 2023, 3:42pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash does not create index and doesn't give out any errors. Help Logstash	11	5565	July 6, 2017
Logstash not creating an index in elasticsearch Logstash	12	11011	July 6, 2017
Logstash don't create index Logstash	6	2031	December 12, 2017
Logstash does not create index on elasticsearch Logstash	5	7519	September 2, 2020
Logstash does not create index in Elasticsearch (Windows 10) Logstash	3	545	August 26, 2021

Logstash does not creates nor updates index on elasticsearch

Related topics