问题: Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"logstash-user-2021.10.13", :routing=>nil}, {"tags"=>["_grokparsefailure_sysloginput"]
解决:(永久性解决)
elasticsearch7版本以上的,默认只允许1000个分片,因为集群分片数不足引起的
curl --user elc:password -XPUT -H "Content-Type:application/json" -d '{"transient":{"cluster":{"max_shards_per_node":10000}}}' 'http://19.16.48.51:9200/_cluster/settings'