Logstash-filter-elasticsearch plugin fails to look up in amazon es

srama · January 21, 2018, 12:07am

Hi,

New to ELK.
I am trying to use logstash-filter-elasticsearch plugin for some look up and computation.
It works fine with on prem 5.6.3 version.
The same config fails while connection to Amazon ES 6.0.

Here is my config sample.

filter {
if "ABC.process" in [service_name] {
elasticsearch {
hosts => ["someprivatecloud.amazonaws.com:443"]
ssl => true
index => "testindex"
query => 'service_name:"XYZ.process" AND transnumber:%{[transnumber]}'
fields => {"logtimestamp" => "startdate" }
}
ruby {
init => "require 'time'"
code => "duration = ((Time.parse(event.get('logtimestamp')[0]).to_f * 1000) - (Time.parse(event.get('startdate')[0]).to_f * 1000)) rescue nil; event.set('endtime', duration);"
}
}
}

warkolm · January 21, 2018, 12:30am

Can you elaborate on the failure?

srama · January 21, 2018, 1:17am

All I see is a tag with "_elasticsearch_lookup_failure"
I do not know how to enable debug/trace within "filter".
I can provide any trace if you can direct the instructions to capture. ( Thats would be amazing help )

Thank you in advance.

warkolm · January 21, 2018, 2:31am

That implies nothing matched your query, so I would check that there is indeed something that matches.

srama · January 21, 2018, 7:16am

I am certain that the data exists as the same is working fine with 5.6 onprem ES instance.
Is there anyway else I could troubleshoot?

Christian_Dahlqvist · January 21, 2018, 11:35am

In order to authenticate with AWS Elasticsearch service, a special Elasticsearch output plugin provided by Amazon (logstash-output-amazon_es) is required. I suspect this would also be a problem for the standard Elasticsearch filter plugin, so you may want to ask AWS support if they have a version of the Elasticsearch filter plugin.

These standard Logstash plugins should however work with Elastic Cloud as it has a different authentication mechanism, so that might also be an option.

srama · January 21, 2018, 4:34pm

Finally, I am able to lookup in amazon es instance.

All I had to do was change these two lines within filter's elasticsearch
hosts => ["someprivatecloud.amazonaws.com:443"]
ssl => true

to

hosts => ["https://someprivatecloud.amazonaws.com:443"]
removed this line -- ssl => true

Thank you all !!

system · February 18, 2018, 4:34pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Trouble using elasticsearch filter plugin Logstash	8	3323	October 26, 2017
Elasticsearch input with AWS ES as service Logstash	1	623	July 6, 2017
How To Output to Amazon Elasticsearch Service Logstash	6	14285	October 26, 2017
ES Lookups Logstash	8	554	April 8, 2020
Elasticsearch filter plugin doesn't work when using elasticsearch on cloud Logstash	2	420	January 25, 2022

Logstash-filter-elasticsearch plugin fails to look up in amazon es

Related topics