Filebeat is not taking new entries from overwritten file

elasticheart · March 17, 2017, 4:46pm

Hi,

I am using ELK GA 5.0.0. In my Linux box, I am pushing vmstat entries to a file using the following shell script;

#!/bin/bash
while true
do
	>vmstatlog.log
	echo "`vmstat`"$'\n' >> vmstatlog.log
	sleep 2
done

The script is designed to empty the contents of the file vmstatlog.log and then writes to it. In this way, the file keeps only latest entry. But the problem is, my filebeat takes only one entry, after that no output is sent by filebeat. I checked the file and found that it gets updated every time. Whats wrong here, and how can I fix this?

andrewkroh · March 17, 2017, 5:59pm

The file will keep the same inode so Filebeat will not know to reread the whole file. To see this, add stat vmstatlog.log to the loop and you will see that the inode value never changes.

If you create a new file each time, then it will have a different inode, and Filebeat will read it.

elasticheart · March 17, 2017, 8:19pm

Hi

I have changed the script like below;

#!/bin/bash
while true
do
	rm vmstatlog.log
	echo "`vmstat`"$'\n' >> vmstatlog.log
	sleep 2
done

Still same effect

ruflin · March 20, 2017, 10:24am

Can you share your filebeat config and filebeat log output?

system · April 17, 2017, 10:25am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.