This article will help you diagnose no data appearing in Elasticsearch or Kibana in a few easy steps.
1. Ensure your data source is configured correctly
Getting started sending data to Logit is quick and simple, using the Data Source Wizard you can access pre-configured setup and snippets for nearly all possible data sources.
How to use the Data Source Wizard
Login to your Logit account.
For any of your Logit stacks choose Send Data To Stack
Type the name of the data source you are configuring or just browse for it.
Follow the steps for your chosen data source (you can copy the snippets including pre-populated stack ids and keys 😃).
2. Enable logging if you are using an Elastic Beat
If you are using an Elastic Beat to send data into Elasticsearch (e.g. Filebeat, Metricbeat etc.) You can enable additional logging to the daemon by running it with the -e command line flag. This will redirect the output that is normally sent to Syslog to standard error. For example see the command below.
You will be able to diagnose whether the Elastic Beat is able to harvest the files properly or if it can connect to your Logstash or Elasticsearch node.
3. Check Logstash logs for your stack
You can check the Logstash log output for your ELK stack from your dashboard.
From any stack in your dashboard choose View Stack Settings > Diagnostic Logs. You will see an output similar to below. Any errors with Logstash will appear here.
4. Can you see your data in Elasticsearch?
To check if your data is in Elasticsearch we need to query the indices. To do this you will need to know your endpoint address and your API Key. From any stack in your dashboard choose View Stack Settings > Elasticsearch Settings.
To query the indices run the following curl command, substituting the endpoint address and API key for your own. Alternatively, you can navigate to the URL in a web browser remembering to substitute the endpoint address and API key for your own.
curl "https://Your Endpoint-es.logit.io/_cat/indices?v&apikey=Your-API-Key"
You should see something returned similar to the below image. Anything that starts with . are system indices. Everything else are regular indices, if you can see regular indices that means your data is being received by Elasticsearch.
If your data is being sent to Elasticsearch but you can't see it in Kibana. It could be that you're querying one index in Kibana but your data is in another index. You can refer to this help article to learn more about indexes.
5. Can you connect to your Logit ELK stack?
Can you connect to your stack or is your firewall blocking the connection. Run the following command to check if you can connect to your stack.
Remember to substitute the Logstash endpoint address & TCP SSL port for your own Logstash endpoint address & port.
openssl s_client -connect <Your Logstash Endpoint-ls.logit.io:<your-stack-TCP-SSL-port>
If your ports are open you should receive output similar to the below ending with a verify return code of 0.
You can find the details for your stacks Logstash endpoint address & TCP SSL port under the Logstash inputs tab on the stack settings menu from your dashboard.
6. Can you resolve the DNS?
To confirm you can connect to your stack use the example below to try and resolve the DNS of your stacks Logstash endpoint.
In Windows open a command prompt and run the following command:
On Linux / Unix / macOS you can use dig.
dig a your-logstash-endpoint-ls.logit.io
Still having trouble?
If you are still having trouble you can contact our support team here.
Use the Data Source Wizard to get started with sending data to your Logit ELK stack.