Logstash service stop after a while

billy6 · March 14, 2016, 4:06pm

Hello, I have been struggling with this for 2 days.
I have a logstash instance with ES input and ES output, without filtering anything.
I run the logstash service and after a while (20 seconds more or less) the service stops.

in /var/log/logstash/logstash.log I have this>
{:timestamp=>"2016-03-14T16:56:35.412000+0100", :message=>"Configuration OK"}

here is my config file.

input{

elasticsearch {
    hosts => ["**ELASTICSEARCH_IP**:9200"]
   # query => '{ "query": { "match_all":{} } }'

   query => '{"query": { "match": { "host.raw": "**HOST_I_WANT_TO_FILTER**" } }}'
  #     size =>10
  }

}


output {
    elasticsearch
    {
        #cluster => "logstash"
        hosts => ["127.0.0.1:9200"]
        index => "logstash-syslog-%{+YYYY.MM.dd}"
        }

}

Do you have any idea what could be happening?
Thank you

warkolm · March 15, 2016, 2:29am

Can you run Logstash directly and pass it this config file to see what happens?

billy6 · March 15, 2016, 12:06pm

I see all the messages I'm getting from ES (input) at the end it appears "Logstash shutdown complete"
I think this is the problem I want logstash to stay continuously listening ES and in the moment it sees a new message take it.
Is that possible?
Thanks @warkolm

warkolm · March 15, 2016, 8:05pm

Ah right, you can't do that as it'll simply run the query and then find and process every document when it ran that query. There is no concept of a constantly running query in ES.

You will need to reschedule this using cron or similar.