Logstash hangs when trying to send data to Elasticsearch

Question

This is the output i have in my .config file for Logstash:

output {

   elasticsearch {
      document_type => "apache"

}}

When output is set to stdout {} it's working perfectly. I have Elasticsearch running locally with no issues. When i run the command:

sudo ./logstash -f sample_1.conf --debug

Logstash just hangs. This is what i got in the logs using --debug:

[DEBUG] 2018-03-04 03:28:56.245 [pool-2-thread-2] jvm - collector name {:name=>"ParNew"}
[DEBUG] 2018-03-04 03:28:56.255 [pool-2-thread-2] jvm - collector name {:name=>"ConcurrentMarkSweep"}
[DEBUG] 2018-03-04 03:28:58.448 [[main]<file] file - _globbed_files: /usr/share/logstash/bin/log_file.txt: glob is: ["/usr/share/logstash/bin/log_file.txt"]
[DEBUG] 2018-03-04 03:28:59.353 [Ruby-0-Thread-12: /usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:617] pipeline - Pushing flush onto pipeline {:pipeline_id=>"main", :thread=>"#<Thread:0x34284e61@/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:246 sleep>"}
[DEBUG] 2018-03-04 03:29:01.268 [pool-2-thread-2] jvm - collector name {:name=>"ParNew"}
[DEBUG] 2018-03-04 03:29:01.268 [pool-2-thread-2] jvm - collector name {:name=>"ConcurrentMarkSweep"}
[DEBUG] 2018-03-04 03:29:04.354 [Ruby-0-Thread-12: /usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:617] pipeline - Pushing flush onto pipeline {:pipeline_id=>"main", :thread=>"#<Thread:0x34284e61@/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:246 sleep>"}

These lines just repeat themselves again and again indefinitely. Both Logstash and Elasticsearch versions are 6.2.2

What could be the problem?

Logstash does not reparse files which have already been parsed. So if you're reading a file that does not change, the next time logstash runs, all the line previously parsed won't be parsed again. See https://stackoverflow.com/questions/19546900/how-to-force-logstash-to-reparse-a-file. — baudsp, Mar 06 '18 at 17:33
Have you checked there's data in elasticsearch? Also you can have more than one output, so you could have stdout and elasticsearch at the same time. — baudsp, Mar 06 '18 at 17:35

sammy · Answer 1 · 2018-03-04T04:36:18.900

1

From version 6.0, ElasticSearch removed document types or mapping types. You can remove the document_type and try again.

Refer to https://www.elastic.co/guide/en/elasticsearch/reference/6.0/removal-of-types.html for more details.

edited Mar 04 '18 at 04:36

answered Mar 04 '18 at 04:28

sammy

524
4
11

so just have `elasticsearch` empty? – gambit2017 Mar 04 '18 at 05:01
if you have it empty, the defaults are applied. you can have other settings specific to your es instance but the document_type does not apply any more. – sammy Mar 04 '18 at 05:13

Logstash hangs when trying to send data to Elasticsearch

1 Answers1