chore(kb/logstash): add troubleshooting

2026-02-09 05:44:23 +00:00 · 2025-03-29 17:27:02 +01:00
parent b526fd5f36
commit b52b7c398e
1 changed files with 81 additions and 1 deletions
--- a/base/logstash.md
+++ b/base/logstash.md
@@ -5,6 +5,9 @@ Server-side data processing pipeline that ingests data, transforms it, and then
 Part of the Elastic Stack along with Beats, [ElasticSearch] and [Kibana].

 1. [TL;DR](#tldr)
+1. [Troubleshooting](#troubleshooting)
+   1. [Check a pipeline is processing data](#check-a-pipeline-is-processing-data)
+   1. [Log pipeline data to stdout](#log-pipeline-data-to-stdout)
 1. [Further readings](#further-readings)
   1. [Sources](#sources)

@@ -14,7 +17,9 @@ Part of the Elastic Stack along with Beats, [ElasticSearch] and [Kibana].
  <summary>Setup</summary>

 ```sh
+dnf install 'logstash'
 docker pull 'logstash:7.17.27'
+yum install 'logstash'
 ```

 </details>
@@ -55,7 +60,7 @@ logstash-plugin list --group 'output'
 # Get Logstash's status.
 curl -fsS 'localhost:9600/_health_report?pretty'

-# Get pipelines statistics.
+# Get pipelines' statistics.
 curl -fsS 'localhost:9600/_node/stats/pipelines?pretty'
 curl -fsS 'localhost:9600/_node/stats/pipelines/somePipeline?pretty'
 ```
@@ -126,6 +131,79 @@ output {
 </details>
 -->

+## Troubleshooting
+
+### Check a pipeline is processing data
+
+<details>
+  <summary>Steps in order of likeliness</summary>
+
+1. Check the Logstash process is running correctly
+
+   ```sh
+   systemctl status 'logstash.service'
+   journalctl -xefu 'logstash.service'
+
+   docker ps
+   docker logs 'logstash'
+   ```
+
+1. Check the Logstash process is getting and/or sending data:
+
+   ```sh
+   tcpdump 'dst port 8765 or dst opensearch.example.org'
+   ```
+
+1. Check the pipeline's statistics are changing:
+
+   ```sh
+   curl -fsS 'localhost:9600/_node/stats/pipelines/somePipeline' \
+   | jq '.pipelines."somePipeline"|{"events":.events,"queue":.queue}' -
+   ```
+
+   ```json
+   {
+     "events": {
+       "in": 20169,
+       "out": 20169,
+       "queue_push_duration_in_millis": 11,
+       "duration_in_millis": 257276,
+       "filtered": 20169
+     },
+     "queue": {
+       "type": "memory",
+       "events_count": 0,
+       "queue_size_in_bytes": 0,
+       "max_queue_size_in_bytes": 0
+     }
+   }
+   ```
+
+1. Check the pipeline's input and output plugin's statistics are changing:
+
+   ```sh
+   curl -fsS 'localhost:9600/_node/stats/pipelines/somePipeline' \
+   | jq '.pipelines."somePipeline".plugins|{"in":.inputs,"out":.outputs[]|select(.name=="opensearch")}' -
+   ```
+
+1. [Log the pipeline's data to stdout][log pipeline data to stdout] to check data is parsed correctly.
+
+</details>
+
+### Log pipeline data to stdout
+
+Leverage the `stdout` output plugin in any pipeline's configuration file:
+
+```rb
+output {
+  stdout {
+    codec => rubydebug {
+      metadata => true   # also print metadata in console
+    }
+  }
+}
+```
+
 ## Further readings

 - [Website]
@@ -143,6 +221,8 @@ output {
  -->

 <!-- In-article sections -->
+[log pipeline data to stdout]: #log-pipeline-data-to-stdout
+
 <!-- Knowledge base -->
 [beats]: beats.md
 [elasticsearch]: elasticsearch.md