ELK logstash 无法在 ES 中创建索引
[英]ELK logstash cant create index in ES
问题描述
after following this tuto ( https://www.bmc.com/blogs/elasticsearch-logs-beats-logstash/ ) in order to use logstash to analyze some log files, my index was created fine at the first time, then I wanted to re-index new files with new filters and new repositories so I deleted via "curl XDELETE" the index and now when I restart logstash and filebeat, the index is not created anymore.. I dont see any errors while launching the components.
按照这个教程( https://www.bmc.com/blogs/elasticsearch-logs-beats-logstash/ )为了使用logstash分析一些日志文件,我的索引第一次创建得很好,然后我想要使用新过滤器和新存储库重新索引新文件,所以我通过“curl XDELETE”删除了索引,现在当我重新启动 logstash 和 filebeat 时,不再创建索引..启动组件时我没有看到任何错误。 Do I need to delete something else in order to re-create my index?我是否需要删除其他内容才能重新创建我的索引?
1 个解决方案
解决方案1
2 2020-01-02 13:53:13
Ok since my guess (see comments) was correct, here's the explanation:好的,因为我的猜测(见评论)是正确的,下面是解释:
To avoid that filebeat reads and publishes lines of a file over and over again, it uses a registry to store the current state of the harvester:为了避免 filebeat 一遍又一遍地读取和发布文件的行,它使用注册表来存储收割机的当前状态:
The registry file stores the state and location information that Filebeat uses to track where it was last reading.
As you stated, filebeat successfully harvested the files, sent the lines to logstash and logstash published the events to elasticsearch which created the desired index.正如您所说,filebeat 成功收集了文件,将行发送到 logstash,logstash 将事件发布到创建所需索引的 elasticsearch。 Since filebeat updated its registry, no more lines had to be harvested and thus no events were published to logstash again, even when you deleted the index.由于 filebeat 更新了其注册表,因此无需收集更多行,因此即使您删除了索引,也不会再次将事件发布到 logstash。 When you inserted some new lines, filebeat reopened the harvester and published only the new lines (which came after the "registry checkpoint") to logstash.当您插入一些新行时,filebeat 会重新打开收割机并仅将新行(在“注册表检查点”之后)发布到 logstash。
The default location of the registry file is ${path.data}/registry (see Filebeat's Directory Layout Overview ).注册表文件的默认位置是${path.data}/registry (参见Filebeat 的目录布局概述)。
... maybe the curl api call is not the best solution to restart the index
This has nothing to do with deleting the index.这与删除索引无关。 Deleting the index happens inside elasticsearch.删除索引发生在 elasticsearch 内部。 Filebeat has no clue about your actions in elasticsearch. Filebeat 对您在 elasticsearch 中的操作一无所知。
Q: Is there a way to re-create an index based on old logs?
Yes, there are some ways you should take into consideration:是的,您应该考虑以下一些方法:
- You can use the reindex API which copies documents from one index to another.您可以使用reindex API将文档从一个索引复制到另一个索引。 You can update the documents while reindexing them into the new index.您可以在将文档重新索引到新索引中的同时更新文档。
- In contrast to the reindex you can use the update by query API to update documents that will remain in the original index.与重新索引相反,您可以使用按查询更新API来更新将保留在原始索引中的文档。
- Lastly you could of course delete the registry file.最后,您当然可以删除注册表文件。 However this could cause data loss.但是,这可能会导致数据丢失。 But for development purposes I guess that's fine.但出于开发目的,我想这很好。
Hope I could help you.希望我能帮到你。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.