Recently I started using forcemerge on my old indices. However, I found out that occasionally, Logstash writes into the older indices, increasing the segment count, so the curator has to merge them again on the next day. To prevent this, I now switch older indices to read-only just before merging.
However, now when I look at the Logstash logs, there is a lot of entries like
Thanks for the information. Should a feature request be submitted to Logstash to drop documents on 403, or at least place them into DLQ, instead of polluting the output queue? I don't think that it's too specific for my scenario, as the only way to fix the 403 is to either give Logstash user correct privileges, or make the relevant indices writable. Neither of these things is resolved by simply retrying, so placing these documents into DLQ seems reasonable to me.
It's not about privileges. It's that Elasticsearch is flat out refusing to do anything with the message.
Maybe it is a good idea to enable DLQ for this. Maybe it already is. Have you checked? The DLQ feature in Logstash has to be enabled. It isn't on by default.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.