returns the following error, instead of the data shown in the tutorial:
{"error":{"root_cause":[{"type":"index_not_found_exception","reason":"no such index","index":"logstash-2016.03.08","resource.type":"index_or_alias","resource.id":"logstash-2016.03.08"}],"type":"index_not_found_exception","reason":"no such index","index":"logstash-2016.03.08","resource.type":"index_or_alias","resource.id":"logstash-2016.03.08"},"status":404}
Elasticsearch is running correctly on the host 192.168.77.200. This is the content of first-pipeline.conf as indicated by the tutorial:
Logstash is probably ignoring logstash-tutorial.log. Maybe because it thinks is already has processed the file (in which case you can delete the sincedb file or set the file input's sincedb_path parameter to /dev/null) or you're running Logstash 2.2 and logstash-tutorial.log is older than 24 h (see the file input's ignore_older option).
In the input section of the pipeline, we must add sincedb_path => "/dev/null" to tell Logstash to re-process the data, as you said.
The source data file must not be older than 24h, as you said, so (on Linux) a touch logstash-tutorial.log will fix the problem.
The filter section should include a filter to match the timestamp as extracted from the log, or otherwise Logstash will consider the timestamp of the file the current timestamp when it reads the file (quite useless):
filter {
grok {
match => { "message" => "%{COMBINEDAPACHELOG}" }
}
date {
match => [ "timestamp" , "dd/MMM/yyyy:HH:mm:ss Z" ]
}
geoip {
source => "clientip"
}
}
Another useful edit on the output section is to define the index name to something more meaningful:
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.