I am using Logstash version 2.4.0.
I have an index listOfIps with type ip and a single field inside it as ip.
I am using the following section of configuration in my logstash configuration to check if the ip exists in my index and copy it to new field.
elasticsearch {
hosts => ["1.2.3.4:9200"]
query => "ip:0.1.2.7"
fields => {"ip" => "ip_found_on_es"}
}
But it is not working. The ip 0.1.2.7 exists on Elasticsearch , still I am not able to get the expected result.
What I am doing wrong here ?
elasticsearch {
hosts => ["localhost:9200"]
user => elastic #use if x-pack is enabled
password => elastic #use if x-pack is enabled
index => "listOfIps"
query => "ip:0.1.2.7"
enable_sort => false
fields => {"ip" => "ip_found_on_es"}
}
Try to give specific index, because if you don't specify any logstash will query all indices, which will slow down your work.
One reason might be your index does not have @timestamp attached to each document indexed, and logstash try to get your result sorted based on @timestamp field. You can disable sort with "enable_sort => false"
Thanks, just let me know if it works or not.