Logstash will not re-create the index with similar conf and log file after it was deleted


(Kathy) #1

Hi,
Has been struggling for many days and seem couldn't figure out what happen.
I am running ElasticSearch 1.7.1 with Logstash 1.5.4.

my logstash conf file named "logstash-apache" is stored in the path c:\users\student\logstash-1.5.4\logstash-1.5.4\conf\logstash-apache

my log file is stored in the path c:\users\student\logstash-1.5.4\logstash-1.5.4\log\access_log

I followed the instruction from this link" http://logstash.net/docs/1.4.1/tutorials/getting-started-with-logstash" and was able to index to ES with the test files. I was able to see the output in Logstash window.

However, after I deleted the index using curl -XDELETE and try to run the same command, the index was not created in ES. Below are the last few lines of logstash output:

INFO: [logstash-myPC] detected_master [myNode1][dIlKd954RWypKyKh-
20H5A][KL-PC][inet[/192.168.1.4:9300]], added {[myNode1][dIlKd954RWypKyKh-20H
5A][myPC][inet[/192.168.1.4:9300]],}, reason: zen-disco-receive(from master [[myNode1][dIlKd954RWypKyKh-20H5A][myPC][inet[/192.168.1.4:9300]]])
Sep 19, 2015 5:19:42 AM org.elasticsearch.node.internal.InternalNode start
INFO: [logstash-myPC] started
Logstash startup completed

This is my conf file:
input {
file {
path => ["C:\Users\student\logstash-1.5.4\logstash-1.5.4\log\access_log1*"]
start_position => "beginning"
}
}

filter {
if [path] =~ "access" {
mutate { replace => { "type" => "apache_access" } }
grok {
match => { "message" => "%{COMBINEDAPACHELOG}" }
}
}

}

output {
elasticsearch { host => "localhost"}
stdout { codec =,> rubydebug }
}

I have tried the following tricks but still can't seem to get it work again:

  1. Changed the path for the input file to use "/" or "" slash or enclosed it with square bracket.
  2. Change the start_position to either "beginning" or "end"
  3. Add a empty line in the log file
  4. Add new event entry to the log file or amend the content of the data in the log file
  5. Tried to change the index name with statement
    elasticsearch {
    action => "index"
    index => "test-apache"
    }.

There is no error when I run logstash. I am able to add new id to default logstash index using stdin command.

Hope some one is able to help. Thank you in advance.


(Mark Walkom) #2

Unless you are adding new data to the input file, you are running into a sincedb issue.
Take a look at the file input docs for more information on that, but you want to delete the file there is there and specify your own one.


(Kathy) #3

Got it, thank you very much.

Regards


(system) #4