Logstash polling for closed index and stopping the log forwarding

Anjan_Pratap · January 26, 2018, 2:52pm

Hi,

I am using logstash 5.6 with filebeat, rsyslog and kafka as inputs. I implemented a script to close the indices older than one month. I am seeing log messages in logstash about the closed indices for long time and suddenly there is no data appearing on Kibana. once I open the closed indices, then only I am able to see data on Kibana.
adding the info messages wrt closed index. All the logs clustered with these messages.

My observation is , I am seeing these messages only for syslog index.

logstash-plain.log:[2018-01-26T14:40:24,288][INFO ][logstash.outputs.elasticsear ch] retrying failed action with response code: 403 ({"type"=>"index_closed_excep tion", "reason"=>"closed", "index_uuid"=>"Veahm9MQRN2Buu66Wlr3OQ", "index"=>"sta ging-syslog-2017.12.18"})

theuntergeek · February 2, 2018, 1:57pm

What this means is that some of the data coming in to Logstash is old enough (based on its timestamp) that Logstash is sending it to Elasticsearch, destined for a closed index.

system · March 2, 2018, 1:57pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.