Logstash not creating new index

will.nickisch · December 8, 2021, 9:17pm

I am having an issue with multiple tcp inputs and logstash not pulling in messages from the second tcp input.

The data received on port 6050 is going into the default index logstash-%{+YYYY.MM.dd} but the data sent from rsyslog to port 6052 is not being recorded at all.

I gave the logstash user temp superuser permissions to rule out permissions and still no luck.

Here is what I have for config files (edited to remove sensitive data and not applicable data):
rsyslog.conf

:fromhost-ip, isequal, "X.X.X.X" @@localhost:6052;json-template
& stop
*.* @@localhost:6050;json-template

logstash configs
01input.config

input {
  tcp {
    host => "localhost"
    port => 6050
    codec => "json"
    tags => "rsyslog"
  }
  tcp {
    host => "localhost"
    port => 6052
    codec => "json"
    type => "debug"
    tags => "cubes"
  }
  }
}

#filter {  }
#output {  }

99output.conf

output {
  if [tags] == "cubes" {
    elasticsearch { hosts => [ "10.30.97.248:9200" ]
    user => ["logstash"]
    password => ["password"]
    index => ["cubes-%{+YYYY.MM.dd}"]
  }
    } else {
    elasticsearch { hosts => [ "10.30.97.248:9200" ] 
    user => ["logstash"]
    password => ["password"]
    }
  }
}

When I perform a GET _cat/indices none of the cubes-%{+YYYY.MM.dd} indices are even being created.

Badger · December 8, 2021, 10:04pm

If ILM is enabled, and it is on by default for recent versions, then the index option is silently ignored. Personally I think that is a bad idea, but I don't get a vote on it.

will.nickisch · December 8, 2021, 10:26pm

Im fairly new to ELK. How do I disable that?
And if I disable that will it stop the index lifecycle policies?

Badger · December 8, 2021, 10:46pm

You can use the ilm_enabled option to disable it.

will.nickisch · December 9, 2021, 4:33pm

I set that setting to FALSE but no change. It is still not creating the new index and putting data anywhere.

will.nickisch · December 9, 2021, 5:39pm

I added the following code and now it is creating the index, but no data is being loaded into the new index

 ilm_enabled => true
    ilm_pattern => "{now/d}"
    ilm_rollover_alias => "cubes"

Badger · December 9, 2021, 6:28pm

Try if "cubes" in [tags]

will.nickisch · December 9, 2021, 10:28pm

I did finally get this working. to document the fix:
Insead of stating a second tcp input and using rsyslog to send those messages to the second input to get the tag, I just created a new filter with a mutate to add the tag. Once that tag was there I was able to use the if "cubes" in [tags] to add it to the new Index.

Thank you for the help!

system · January 6, 2022, 10:28pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Below logstash file is not creating the index with the name i specified Logstash	7	536	July 6, 2017
Logstash is not creating index in Elasticsearch Logstash docker	2	608	June 23, 2022
Logstash does not create index and doesn't give out any errors. Help Logstash	11	5563	July 6, 2017
Logstash does not creates nor updates index on elasticsearch Logstash	6	249	May 1, 2023
Logstash not pushing logs to ElasticSearch Logstash	27	5610	August 28, 2019

Logstash not creating new index

Related Topics