Morning all,
I have an issue, my logs were being pushed and view-able into kibana until I made pipeline update, I am using:
- Elastic search 5.4.0
- Filebeat 5.3.1
- Kibana not sure but it must be 5.4.0 too, I did not set the environment up...
So, in short, my logs were being pushed fine, but when I wanted to update my grok pattern, I made a pipeline update thru my postman successfully, then I am not seeing my logs in kibana anymore, I can see that the logs are being pushed while tailing the filebeat log, but when I refresh kibana, I don't see my logs anymore. Please tell me what could be the reason?
And what is STRANGE is, there is one log file that keeps working fine, meaning, if I edit my filebeat.yml and say "paths: /mypath/logs/*.log OR /request.log" only one log goes into kibana, that is the request.log, but if I put "paths: /mypath/logs/myproject.log", nothing comes up in kibana, and this same file together with all others were showing up before I made a pipeline update...
Here is my pipeline update "PUT" request payload, and I am sending it to: {{host}}/_ingest/pipeline/xyz_pipeline
{
"description" : "Description xyz pipeline",
"processors": [
{
"gsub": {
"field": "message",
"pattern": "\n",
"replacement": "\\n"
}
},
{
"grok": {
"field": "message",
"patterns": ["%{IPORHOST:log.clientip} %{USER:log.ident} %{USER:log.auth} %{HTTPDATE:log.rawdatetime} "(?:%{WORD:log.verb} %{NOTSPACE:log.request}(?: HTTP/%{NUMBER:log.httpversion})?|%{DATA:log.rawrequest})" %{NUMBER:log.response} (?:%{NUMBER:log.bytes}|-)","%{DATE_EU:log.date} %{TIME:log.time} %{DATA:log.module} %{GREEDYDATA:log.message}"],
"on_failure": [
{
"set":{
"field": "ingestError",
"value": "{{ _ingest.on_failure_message }}"
}
},
{
"set":{
"field": "log.datetime",
"value": "{{ @timestamp }}"
}
}
]
}
}
]
}
I can see this being printed out in my filebeat log, which tells me (I think) that the logs are being pushed to elastic:
2017-08-11T12:16:37-04:00 INFO Non-zero metrics in the last 30s: filebeat.harvester.open_files=1 filebeat.harvester.running=1 filebeat.harvester.started=1 libbeat.es.call_count.PublishEvents=1 libbeat.es.publish.read_bytes=1804 libbeat.es.publish.write_bytes=136541 libbeat.es.published_and_acked_events=1 libbeat.publisher.published_events=1 publish.events=10 registrar.states.current=153 registrar.states.update=10 registrar.writes=2
Advice appreciated....