Problem with filebeat

cdfwb1992 · July 3, 2017, 5:38am

Hi, I followed this tutorial "https://www.elastic.co/guide/en/beats/filebeat/5.4/filebeat-getting-started.html" step by step, but Kibana shows me 0 hits and No results found.

Pandiyan_M · July 3, 2017, 10:14am

Configure filebeat.yml with log file path and map it to ELK server ( single node) in output under filebeat.yml, then give some entry inside log path and check it will get reflected in kibana, there will be 30 sec time out.

steffens · July 3, 2017, 1:43pm

your setup is filebeat->Elasticsearch?

Have you had a look at the filebeat log output?

cdfwb1992 · July 3, 2017, 3:08pm

ye, I use filebeat->Elasticsearch. I am really new to this, do you mean logs in
/var/log/filebeat? I don't know which filebeat log output I can refer to.

cdfwb1992 · July 3, 2017, 3:16pm

My filebeat.yml is like:
filebeat.prospectors:

input_type: log
paths:
- /var/log/*.log

output.elasticsearch:
hosts: ["192.168.1.42:9200"]
Is it what you are saying?

steffens · July 4, 2017, 10:53am

yes, /var/log/filebeat contains the filebeats log output.

cdfwb1992 · July 4, 2017, 8:11pm

My log file is like this:
2017-07-04T15:14:50-04:00 INFO Home path: [/usr/share/filebeat] Config path: [/etc/filebeat] Data path: [/var/lib/filebeat] Logs path: [/var/log/filebeat]
2017-07-04T15:14:50-04:00 INFO Setup Beat: filebeat; Version: 5.4.3
2017-07-04T15:14:50-04:00 INFO Loading template enabled. Reading template file: /etc/filebeat/filebeat.template.json
2017-07-04T15:14:50-04:00 INFO Metrics logging every 30s
2017-07-04T15:14:50-04:00 INFO Loading template enabled for Elasticsearch 2.x. Reading template file: /etc/filebeat/filebeat.template-es2x.json
2017-07-04T15:14:50-04:00 INFO Loading template enabled for Elasticsearch 6.x. Reading template file: /etc/filebeat/filebeat.template-es6x.json
2017-07-04T15:14:50-04:00 INFO Elasticsearch url: http://192.168.1.42:9200
2017-07-04T15:14:50-04:00 INFO Activated elasticsearch as output plugin.
2017-07-04T15:14:50-04:00 INFO Publisher name: wenbo-VirtualBox
2017-07-04T15:14:50-04:00 INFO Flush Interval set to: 1s
2017-07-04T15:14:50-04:00 INFO Max Bulk Size set to: 50
2017-07-04T15:14:51-04:00 INFO filebeat start running.
2017-07-04T15:14:51-04:00 INFO Registry file set to: /var/lib/filebeat/registry
2017-07-04T15:14:51-04:00 INFO Loading registrar data from /var/lib/filebeat/registry
2017-07-04T15:14:51-04:00 INFO States Loaded from registrar: 2
2017-07-04T15:14:51-04:00 INFO Loading Prospectors: 1
2017-07-04T15:14:51-04:00 INFO Prospector with previous states loaded: 0
2017-07-04T15:14:51-04:00 INFO Starting prospector of type: log; id: 1462193845342389316
2017-07-04T15:14:51-04:00 INFO Loading and starting Prospectors completed. Enabled prospectors: 1
2017-07-04T15:14:51-04:00 INFO Start sending events to output
2017-07-04T15:14:51-04:00 INFO Starting spooler: spool_size: 2048; idle_timeout: 5s
2017-07-04T15:14:51-04:00 INFO Starting Registrar
2017-07-04T15:14:52-04:00 INFO Harvester started for file: /home/wenbo/Desktop/Tap-News/web_server/logs/main.log
2017-07-04T15:15:16-04:00 INFO Non-zero metrics in the last 30s: filebeat.harvester.open_files=1 filebeat.harvester.running=1 filebeat.harvester.started=1 libbeat.publisher.published_events=10
2017-07-04T15:15:46-04:00 INFO No non-zero metrics in the last 30s
2017-07-04T15:16:16-04:00 INFO No non-zero metrics in the last 30s
2017-07-04T15:16:21-04:00 ERR Connecting error publishing events (retrying): Get http://192.168.1.42:9200: net/http: request canceled while waiting for connection
2017-07-04T15:16:46-04:00 INFO No non-zero metrics in the last 30s
2017-07-04T15:17:16-04:00 INFO No non-zero metrics in the last 30s
2017-07-04T15:17:46-04:00 INFO No non-zero metrics in the last 30s
2017-07-04T15:17:52-04:00 ERR Connecting error publishing events (retrying): Get http://192.168.1.42:9200: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)
2017-07-04T15:18:16-04:00 INFO No non-zero metrics in the last 30s
2017-07-04T15:18:46-04:00 INFO No non-zero metrics in the last 30s
2017-07-04T15:19:16-04:00 INFO No non-zero metrics in the last 30s

steffens · July 5, 2017, 12:04pm

See error message:

Get http://192.168.1.42:9200: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)

Seems to be a problem with Elasticsearch. Either it's not running (correctly) or not at all.
You can try to increase the output.elasticsearch.timeout: 60s from default to 60s to much some higher value. But ultimately you want need to check Elasticsearch being available.

Have you tried curl http://192.168.1.42:9200 ?

cdfwb1992 · July 5, 2017, 4:29pm

Ye, I have tried 'curl http://192.168.1.42:9200 ', it works fine.

steffens · July 5, 2017, 7:38pm

have you tried to increase the timeout?

system · August 2, 2017, 7:38pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
[Unresolved] Absolutely nothing shows in any [Filebeat] Kibana Dashboards ("No results found") Beats filebeat	18	5465	March 8, 2019
FileBeat Optimization Beats filebeat	5	1303	November 14, 2016
Newbie and need help Beats filebeat	2	436	October 29, 2017
Filebeat 0 hits? Require help to resolve Elasticsearch	3	2473	May 11, 2016
Filebeat dashboard : No results found Kibana	3	2043	September 17, 2017

Problem with filebeat

Related topics