New index is not created

Wojciech_Gomola · January 15, 2020, 8:20am

Hi. I have Filebeat + ELK stack. My Logstash has a pretty standard configuration:

input {
  beats {
    port => 5044
  }
}

filter {
  grok {
  	match => {
  		"message" => "^(?<log_date>\d{4}-\d\d-\d\d \d\d:\d\d:\d\d.\d\d\d)\d?\|(?<level>WARN|INFO|DEBUG|ERROR|FATAL)\|%{GREEDYDATA:message}"
  	}
  }
  date {
    match => ["log_date", "yyyy-MM-dd HH:mm:ss.SSS"]
    timezone => "+01:00"
    remove_field => ["log_date"]
  }
}

output {
  elasticsearch {
    hosts => ["elastic:9201", "elastic:9202"]
  }
}

Yes, I have 2 instances of ES on a single machine, but they use different directories. For some reason indices are not created daily I have 2 indices. Both created the 28th of December. New docs are added to the second one.
Does someone know what I did wrong?

grumo35 · January 15, 2020, 10:12am

Hi

You can specify indices like this in your output

output {
  elasticsearch {
    hosts => ["elastic:9201", "elastic:9202"]
    index = >  "foobar"
  }
}

You should reffer to : documentation

if you want something daily you should try something like this

index = > "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"

Wojciech_Gomola · January 15, 2020, 12:29pm

I don't wanna specify it manually. AFAIK default one should work as I expect. I suppose that it is related to ILM, for some reason, Logstash is not able to figure out the format.

grumo35 · January 15, 2020, 12:33pm

Maybe, you should try logstash log level debug and see what's happening.

Wojciech_Gomola · January 16, 2020, 2:11pm

Nothing realy interesting. It uses default index. To be sure I dropped index template and LS recreated it. It still writes to old index.

[2020-01-16T14:16:46,488][DEBUG][logstash.outputs.elasticsearch] config LogStash::Outputs::ElasticSearch/@index = "logstash-%{+YYYY.MM.dd}"
[2020-01-16T14:16:46,488][DEBUG][logstash.outputs.elasticsearch] config LogStash::Outputs::ElasticSearch/@manage_template = true
[2020-01-16T14:16:46,489][DEBUG][logstash.outputs.elasticsearch] config LogStash::Outputs::ElasticSearch/@template_name = "logstash"
[2020-01-16T14:16:46,489][DEBUG][logstash.outputs.elasticsearch] config LogStash::Outputs::ElasticSearch/@template_overwrite = false

I have also added the second file output plugin and I see that timestamp is properly formatted. What date does the ES plugin use for index names?

Edit:
Logs related to ILM:

[2020-01-16T14:16:46,497][DEBUG][logstash.outputs.elasticsearch] config LogStash::Outputs::ElasticSearch/@ilm_enabled = "auto"
[2020-01-16T14:16:46,497][DEBUG][logstash.outputs.elasticsearch] config LogStash::Outputs::ElasticSearch/@ilm_rollover_alias = "logstash"
[2020-01-16T14:16:46,498][DEBUG][logstash.outputs.elasticsearch] config LogStash::Outputs::ElasticSearch/@ilm_pattern = "{now/d}-000001"
[2020-01-16T14:16:46,498][DEBUG][logstash.outputs.elasticsearch] config LogStash::Outputs::ElasticSearch/@ilm_policy = "logstash-policy"

Wojciech_Gomola · January 16, 2020, 3:39pm

I used custom index format and used lowercase y instead of uppercase and it fixed issue. Other peoples struggles with it also Github

grumo35 · January 17, 2020, 8:56am

Oh i forgot that, ineed no caps in index names

system · February 14, 2020, 8:56am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
The index is not created and no log is recorded Elasticsearch	6	789	July 5, 2017
Indexes creation by date issue Logstash	10	9857	November 7, 2017
Basic understating regarding index creation Logstash	10	2769	August 13, 2021
Elastic not creating index daily based on date Logstash	13	2185	July 6, 2020
How to configure indexes in logstash Elasticsearch	2	599	June 23, 2019

New index is not created

Related topics