How should I force a filebeat to resend just only one particular file.
Or how may I drop for only one certain file its offset to force filebeat start processing this one file again?
Again, I'm talknig only about one concrete file. Keep in mind, that I have 100 log files in one directory and pointing to same destination. But I want to restart from scratch only 1 log file and 99 files leave at theirs offsets.
Note: this 1 file first deleted, then filled up and thats why I want to resend it.
PS: maybe its possible to define in filebeat.yml proprs for it separately to force filebeat always start from scratch? And in this case is it possible to change for only this setting scan_freq to 1s, leaving all other settings with scan_freq=10s?
The registry is where filebeat tracks what lines on what files have been read. You should be able to remove the info for the one file ur interested in and restart filebeat as mentioned in the above post.
ABC.log file was already processed and logs were shipped to outer system. This log is no longer being updated.
I want ABC.log to be reshipped again, while other files (DEF, XYZ) remains processed and shouldn't be reshipped.
All log files also must be kept (removes or deletings are prohibited).
If I do as you suggest - just double the wanted file and then delete it - what is the way to find if a file was shipped? What is the programmic command to ask filebeat if it has finished shipping of ABC.log file?
As I've mentioned - any edit of registry file leads to unpredictable fb behaviour. Seems like there are other places where fb stores some data to check registry's file integrity.
Otherwise not easily, Filebeat does report the number of events shipped... But it is a little hard to decipher... every 30s it reports / logs statistics which include the number events shipped you would need to capture all those and add them up...
You would need to configure for just that file so you don't accidentally load other logs.
Keeping in mind that filebeat hashes the filename to track if the file was renamed, isnt there a possibility to add this kind of functionality as a CLI command?
i.e.: $ filebeat ship <filename>
or $ filebeat reset stats <filename>
Also I didn't undestand registry's file contents. Is there any docs about it, 'cause there are plenty of differently formatted lines in it that provides info about log file offset, but why format differs (json-keys are sorted differently from line to line) - I didnt get it.
Another history - is that occasionaly another file with name 789543.log is created right next to registry file. This file is not permanent and the number changing all the time. Didnt get it what it means as well. Any directions?
Feel free to file a feature request against the beats repo here
The registry today does not have an API and the contents is not officially documented and is really not intended to be edited, edit at your your own risk.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.