Home > Back-end >  logstash output elasticsearch index with sequence number
logstash output elasticsearch index with sequence number

Time:12-18

I am using AWS Elastic Search (Version 7.10) with Logstash 7.10. The intention is to send the content from logstash to elastic search and rollover the index after the particular size or time using policy.

policy: {
    "policy_id": "Rollover_Policy",
    "description": "roller index",
    "last_updated_time": 1634910129219,
    "schema_version": 1,
    "error_notification": null,
    "default_state": "hot",
    "states": [
        {
            "name": "hot",
            "actions": [
                {
                    "rollover": {
                        "min_size": "1mb"
                    }
                }
            ],
            "transitions": [
                {
                    "state_name": "warm"
                }
            ]
        },
        {
            "name": "warm",
            "actions": [
                {
                    "replica_count": {
                        "number_of_replicas": 1
                    }
                }
            ],
            "transitions": [
                {
                    "state_name": "delete",
                    "conditions": {
                        "min_index_age": "1h"
                    }
                }
            ]
        },
        {
            "name": "delete",
            "actions": [
                {
                    "delete": {}
                }
            ],
            "transitions": []
        }
    ],
    "ism_template": [
        {
            "index_patterns": [
                "products*"
            ],
            "priority": 100,
            "last_updated_time": 1634910129219
        }
    ]
}

While I am trying to set ilm_enabled to true in logstash output plugin, it is not able to connect with elastic search xpack API.

Note : xpack and ILM are not supported in AWS elastic search.

elasticsearch {  
        hosts => "${elasticsearch_endpoint}"
        user => "${elasticsearch_user}"
        password => "${elasticsearch_password}"
        ilm_enabled => true
        ilm_rollover_alias => "products"
        ilm_pattern => "{now/d}-000001"
        ilm_policy => "Rollover_Policy"
}

So I have changed ilm_enabled flag to false and tried below option

elasticsearch {
        hosts => "${elasticsearch_endpoint}"
        user => "${elasticsearch_user}"
        password => "${elasticsearch_password}"
        ilm_enabled => false
        index => "products-%{ YYYY.MM.dd}-000001"
}

Now the problem is that even after the rollover, logstash is still sending the documents to 001 index instead of new index. If I don't give -000001 in index name, then rollover is getting failed.

CodePudding user response:

Create an index with following REST request in elastic. Since the index name is having date pattern, the rollover will create new index with current date.

PUT 
{
  "settings":{
    "number_of_shards":1,
    "number_of_replicas":1
  },
  "aliases": {
    "products":  {
      "is_write_index": true
    }
  }

Create a template for index pattern along with rollover alias

PUT _index_template/products_logs
{
  "index_patterns": [
    "products*"
  ],
  "template": {
    "settings": {
      "number_of_shards": 1,
      "number_of_replicas": 1,
      "opendistro": {
        "index_state_management": {
          "rollover_alias": "products"
        }
      }
    }
  }
}

In logstash output plugin give the below details to send the data to elastic search

elasticsearch {  
        hosts => "${elasticsearch_endpoint}"
        user => "${elasticsearch_user}"
        password => "${elasticsearch_password}"
        ilm_enabled => false 
        index => "products"
}

Note : the index name represents alias name of the index.

Page link:https//www.codepudding.com/Backend/232181.html

Prev:ElasticSearch query for uuid field
Next:structural induction of haskell
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding