Unable to restore snapshots in Elasticsearch

I am getting error while restoring Snapshot. Details are mentioned below

API Call: 'POST /_snapshot/elkSnapshots/snapshot-20200830-sdfs/_restore?
{
"indices": "*"
}'

Error: {
"error" : {
"root_cause" : [
{
"type" : "snapshot_restore_exception",
"reason" : "[elkBackupS3:snap-test-20200902/izdTtzXLSTuhwQRlD6z6IA] cannot restore index [filebeat-2020.08.18] because an open index with same name already exists in the cluster. Either close or delete the existing index or restore the index under a different name by providing a rename pattern and replacement name"
}
],
"type" : "snapshot_restore_exception",
"reason" : "[elkBackupS3:snap-test-20200902/izdTtzXLSTuhwQRlD6z6IA] cannot restore index [filebeat-2020.08.18] because an open index with same name already exists in the cluster. Either close or delete the existing index or restore the index under a different name by providing a rename pattern and replacement name"
},
"status" : 500
}

I found in internet to delete indices or close indices to restore. Please find my thoughts on this below
Delete Indices: Even after deleting Data. Logtash keep on sending data so new indice would be created then will get same error.
Close Indices: After closing indices I get error in Kibana that all indices are closed hence kibana is down.

Please suggest approach to tackle this problem.

Why not use a rename as per the example here - https://www.elastic.co/guide/en/elasticsearch/reference/current/snapshots-restore-snapshot.html?

@warkolm If I rename pattern then Data will not come in filebeat dashboard as I have specified it starts with 'filebeat-'. After renaming it would be like 'restored_filebeat-' then there will be no data in kibana dashboard.

You can rename it however you want, so filebeat-restored-timestamp.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.