Logstash polling for closed index and stopping the log forwarding

Anjan_Pratap · January 26, 2018, 2:52pm

Hi,

I am using logstash 5.6 with filebeat, rsyslog and kafka as inputs. I implemented a script to close the indices older than one month. I am seeing log messages in logstash about the closed indices for long time and suddenly there is no data appearing on Kibana. once I open the closed indices, then only I am able to see data on Kibana.
adding the info messages wrt closed index. All the logs clustered with these messages.

My observation is , I am seeing these messages only for syslog index.

logstash-plain.log:[2018-01-26T14:40:24,288][INFO ][logstash.outputs.elasticsear ch] retrying failed action with response code: 403 ({"type"=>"index_closed_excep tion", "reason"=>"closed", "index_uuid"=>"Veahm9MQRN2Buu66Wlr3OQ", "index"=>"sta ging-syslog-2017.12.18"})

theuntergeek · February 2, 2018, 1:57pm

What this means is that some of the data coming in to Logstash is old enough (based on its timestamp) that Logstash is sending it to Elasticsearch, destined for a closed index.

system · March 2, 2018, 1:57pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Interesting logstash behavior Logstash	2	1058	October 24, 2017
Old logs? Logstash	7	2444	January 23, 2018
Logstash is failing with response code 403 (index_closed_exception) Logstash	9	10405	January 25, 2018
Logstash not processing new beat Logstash	2	292	February 28, 2019
Kibana4, no message querying closed indices Kibana	4	480	April 6, 2017

Logstash polling for closed index and stopping the log forwarding

Related topics