I have input file plugin configured in read mode where I read the entire file and use multiline to concat it into a single event.
input {
file {
path => "/absolute/path/to/xmls/**/*.xml"
start_position => "beginning"
max_open_files => 10000
mode => "read"
close_older => "1 minute"
codec => multiline {
charset => "ISO-8859-1"
pattern => "\Z"
what => "previous"
}
}
}
On initial run it worked perfectly. However I am confused as to what happens when an XML file, with the same filename gets added again with the last modified updated?
In theory, the file should be read again? Currently it doesn't seem to do so.
I tried by adding an XML file with a filename that got processed earlier. The XML files last modified has changed to a more recent time but with 10 minutes into waiting, the file has yet to be read by Logstash.
The reason why I want to re-use XML files with the same name is that these have content that occasionally get updated so I want to pull them in again and my elsticsearch output upserts the content if needed (based on document_id and XML internal updated timestamp).
Could someone explain to me how the file updates should work? Could it be that I have to disable .sincedb file from being created (/dev/null)?