Nothing appearing in kibana dashboard

elasticsearch logstash kibana

I have installed

Logstash ElasticSearch Kibana

on an EC2 instance.

I can visit http://example.com:9200 Here I get

{
  "status" : 200,
  "name" : "Aleta Ogord",
  "version" : {
  "number" : "1.1.0",
  "build_hash" : "2181e113dea80b4a9e31e58e9686658a2d46e363",
  "build_timestamp" : "2014-03-25T15:59:51Z",
  "build_snapshot" : false,
  "lucene_version" : "4.7"
},
  "tagline" : "You Know, for Search"
}

So elastic search is working, but when I go to

http://example.com/kibana

I get "No results There were no results because no indices were found that match your selected time span"

I have a config file in

/etc/logstash/conf.d/ that contains the following:-

input {
  file {
  path => "/var/log/apache/access.log"
  type => "apache-access"
 }
}

filter {
  grok {
  type => "apache-access"
  pattern => "%{COMBINEDAPACHELOG}"
 }
}

 output {
 stdout { }

 elasticsearch {
 host => "127.0.0.1"
  }
}

I have checked the logstash log file, and there are no relevent error messages

Please help


I had an issue where I deleted my index in ElasticSearch, then recreated it. After that nothing appeared in Kibana.

The solution: Simply delete the kibana index pattern on the Settings tab, then create it again. Same name same everything, but now it gave me data.


For others that are looking at similar problem here is my experience.

I had a really silly issue when I first got everything setup. I got my index setup and Kibana and was getting 0 hits. I confirmed data was in elasticsearch by going to the following url

http://:9200/_search?pretty=true ip for most people will be localhost I was using docker so it was my boot2docker ip. Checked that the index was set to logstash-Date

However in kibana I didn't realize the date time was set to a day in the past. Increasing the range showed my logs. If your new to ELK like me the date time is in the upper right hand corner in Kibana 4.


What do you see if you go to http://example.com:9200/_aliases?pretty That should show you a list of the indices on the server. This is what the first bit of ours looks like (we have indices split by hour rather than day) ...

{
      "logstash-2014.04.01.18" : {
        "aliases" : { }
      },
      "logstash-2014.04.01.17" : {
        "aliases" : { }
      },
      "logstash-2014.04.01.16" : {
        "aliases" : { }
      },
      "logstash-2014.04.01.15" : {
        "aliases" : { }
      },

Assuming that looks sensible check what you've got configured in Kibana as a index template - default is [logstash-]YYYY.MM.DD. Make sure the one you're using matches what you get back from _aliases.

Given there's nothing shown in the response to _aliases there's a strong implication that Logstash isn't reading the input. When I was first experimenting with Logstash I had

                start_position => "beginning"

in my file stanza. For example ...

    file {
            path => "/var/Log/maillog*"
            type => "mailf"
            charset => "locale"
            start_position => "beginning"
    }

That might help - gets round the problem of Logstash thinking that it's already dealt with the contents of the file. You might also want to enable debug output as suggested at https://stackoverflow.com/questions/19086404/how-to-debug-the-logstash-file-plugin

Related

Gluster bricks are offline and errors in logs
Debian Wheezy IPv6 isn't configured with ifup post-up hook
High CPU% stolen on EC2 instance at extremely regular intervals
Difficulty racking HP ProLiant Gen8 servers
connect to ssh server thru 80 via HTTP proxy?
CPU 100% idle but still showing load average
DRBD & KVM replication is possible?
Examples where an AWS Security Group is not sufficient as a firewall?
Which Linux distribution runs smoothly in Sun's VirtualBox?
Update from zfs-0.6.2-1.el6.x86_64 to zfs-0.6.3-1.el6.x86_64 has made by zpool unreadable
MySQL replication not working - no errors
Read-only root file system - ext3 error?