Logstash will not re-create the index with similar conf and log file after it was deleted

lkekeng · September 21, 2015, 2:03am

Hi,
Has been struggling for many days and seem couldn't figure out what happen.
I am running ElasticSearch 1.7.1 with Logstash 1.5.4.

my logstash conf file named "logstash-apache" is stored in the path c:\users\student\logstash-1.5.4\logstash-1.5.4\conf\logstash-apache

my log file is stored in the path c:\users\student\logstash-1.5.4\logstash-1.5.4\log\access_log

I followed the instruction from this link" http://logstash.net/docs/1.4.1/tutorials/getting-started-with-logstash" and was able to index to ES with the test files. I was able to see the output in Logstash window.

However, after I deleted the index using curl -XDELETE and try to run the same command, the index was not created in ES. Below are the last few lines of logstash output:

INFO: [logstash-myPC] detected_master [myNode1][dIlKd954RWypKyKh-
20H5A][KL-PC][inet[/192.168.1.4:9300]], added {[myNode1][dIlKd954RWypKyKh-20H
5A][myPC][inet[/192.168.1.4:9300]],}, reason: zen-disco-receive(from master [[myNode1][dIlKd954RWypKyKh-20H5A][myPC][inet[/192.168.1.4:9300]]])
Sep 19, 2015 5:19:42 AM org.elasticsearch.node.internal.InternalNode start
INFO: [logstash-myPC] started
Logstash startup completed

This is my conf file:
input {
file {
path => ["C:\Users\student\logstash-1.5.4\logstash-1.5.4\log\access_log1*"]
start_position => "beginning"
}
}

filter {
if [path] =~ "access" {
mutate { replace => { "type" => "apache_access" } }
grok {
match => { "message" => "%{COMBINEDAPACHELOG}" }
}
}

}

output {
elasticsearch { host => "localhost"}
stdout { codec =,> rubydebug }
}

I have tried the following tricks but still can't seem to get it work again:

Changed the path for the input file to use "/" or "" slash or enclosed it with square bracket.
Change the start_position to either "beginning" or "end"
Add a empty line in the log file
Add new event entry to the log file or amend the content of the data in the log file
Tried to change the index name with statement
elasticsearch {
action => "index"
index => "test-apache"
}.

There is no error when I run logstash. I am able to add new id to default logstash index using stdin command.

Hope some one is able to help. Thank you in advance.

warkolm · September 21, 2015, 2:54am

Unless you are adding new data to the input file, you are running into a sincedb issue.
Take a look at the file input docs for more information on that, but you want to delete the file there is there and specify your own one.

lkekeng · September 22, 2015, 7:42am

Got it, thank you very much.

Regards

Topic		Replies	Views
Logstash not creating index on elasticsearch Logstash	5	4704	May 17, 2017
Logstash recreating deleted Index in ES Logstash	3	809	March 6, 2018
Logstash error to recreate Index for Elasticsearch Logstash	2	658	July 6, 2017
Not able to create Index in ES with Logstash Logstash	6	1621	July 6, 2017
Logstash conf file is not creating an index in ES Logstash docker	2	197	April 28, 2022

Logstash will not re-create the index with similar conf and log file after it was deleted

Related topics