Logstash-filter-elasticsearch plugin fails to look up in amazon es

srama · January 21, 2018, 12:07am

Hi,

New to ELK.
I am trying to use logstash-filter-elasticsearch plugin for some look up and computation.
It works fine with on prem 5.6.3 version.
The same config fails while connection to Amazon ES 6.0.

Here is my config sample.

filter {
if "ABC.process" in [service_name] {
elasticsearch {
hosts => ["someprivatecloud.amazonaws.com:443"]
ssl => true
index => "testindex"
query => 'service_name:"XYZ.process" AND transnumber:%{[transnumber]}'
fields => {"logtimestamp" => "startdate" }
}
ruby {
init => "require 'time'"
code => "duration = ((Time.parse(event.get('logtimestamp')[0]).to_f * 1000) - (Time.parse(event.get('startdate')[0]).to_f * 1000)) rescue nil; event.set('endtime', duration);"
}
}
}

warkolm · January 21, 2018, 12:30am

Can you elaborate on the failure?

srama · January 21, 2018, 1:17am

All I see is a tag with "_elasticsearch_lookup_failure"
I do not know how to enable debug/trace within "filter".
I can provide any trace if you can direct the instructions to capture. ( Thats would be amazing help )

Thank you in advance.

warkolm · January 21, 2018, 2:31am

That implies nothing matched your query, so I would check that there is indeed something that matches.

srama · January 21, 2018, 7:16am

I am certain that the data exists as the same is working fine with 5.6 onprem ES instance.
Is there anyway else I could troubleshoot?

Christian_Dahlqvist · January 21, 2018, 11:35am

In order to authenticate with AWS Elasticsearch service, a special Elasticsearch output plugin provided by Amazon (logstash-output-amazon_es) is required. I suspect this would also be a problem for the standard Elasticsearch filter plugin, so you may want to ask AWS support if they have a version of the Elasticsearch filter plugin.

These standard Logstash plugins should however work with Elastic Cloud as it has a different authentication mechanism, so that might also be an option.

srama · January 21, 2018, 4:34pm

Finally, I am able to lookup in amazon es instance.

All I had to do was change these two lines within filter's elasticsearch
hosts => ["someprivatecloud.amazonaws.com:443"]
ssl => true

to

hosts => ["https://someprivatecloud.amazonaws.com:443"]
removed this line -- ssl => true

Thank you all !!

system · February 18, 2018, 4:34pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.