elkninja
commented
4 months ago a default setting must have slipped in that is trying to force to a datastream and breaking. im just getting back into things, so i'll take a look and see what i can find.
Closed d1ngx closed 4 months ago
elkninja
commented
4 months ago a default setting must have slipped in that is trying to force to a datastream and breaking. im just getting back into things, so i'll take a look and see what i can find.
elkninja
commented
4 months ago ok, @d1ngx, i think this is resolved. logstash was in tail mode but the file wasnt changing. setting logstash to "READ" mode along with the flags to LOG once complete instead of deleting the file, makes this process a little more seamless i think. let me know if you have any other issues with it.
From https://www.elastic.co/cn/blog/getting-started-with-the-elastic-stack-and-docker-compose Note, the Logstash output index name is "logstash-%{+YYYY.MM.dd}". To see the data, you will need to create a Data View for the “logstash-*” pattern, as seen below.
But when I create Data View, there are only 2 sources, filebeat-8.12.0 and metricbeat-8.12.0. Logstash container logs :
[INFO ][logstash.outputs.elasticsearch][main] Not eligible for data streams because config contains one or more settings that are not compatible with data streams: {"index"=>"logstash-%{+YYYY.MM.dd}"}Is there anything wrong ?