Hello,
I've configured Filebeats to get logs from postgres, send it to elasticsearch and then display them in kibana.
Logs are send successfully to Elasticsearch, when I go to Kibana>Discovery I receive error:
# [Index has exceeded [xxx] - maximum allowed to be analyzed for highlighting](https://discuss.elastic.co/t/index-has-exceeded-xxx-maximum-allowed-to-be-analyzed-for-highlighting/199303)
I've managed to turn off that error using advanced Kibana settings and set doc_table:highlight to false.
The thing is, when I go to Discover now I see some error in error.message field:
Provided Grok expressions do not match field value: [< 2018-03-27 09:48:04.468 CEST > LOG: could not receive data from client: Connection reset by peer]
and the log message is just:
2018-03-27 09:48:04.468 CEST > LOG: could not receive data from client: Connection reset by peer
So I was thinking that maybe that this 2 issues are connected and I get that exceeded error because Filebeat cant pare timestamp correctly ?
Anyway, how should I fixed it ?
I was thinking that timestamp from logs can be parsed and used in index to sort entries by it, instead it takes timestamp of when the file was loaded into elasticsearch.