Force filebeat resend ONE particular file

notricky · March 12, 2021, 5:00pm

How should I force a filebeat to resend just only one particular file.
Or how may I drop for only one certain file its offset to force filebeat start processing this one file again?

Again, I'm talknig only about one concrete file. Keep in mind, that I have 100 log files in one directory and pointing to same destination. But I want to restart from scratch only 1 log file and 99 files leave at theirs offsets.

Note: this 1 file first deleted, then filled up and thats why I want to resend it.

PS: maybe its possible to define in filebeat.yml proprs for it separately to force filebeat always start from scratch? And in this case is it possible to change for only this setting scan_freq to 1s, leaving all other settings with scan_freq=10s?

notricky · March 15, 2021, 11:25pm

any hints or updates is it even possible?

notricky · March 20, 2021, 11:28pm

Is commuity or developers even see questions like this?

ChrsMark · March 22, 2021, 8:55am

Hi @notricky !

I think you can try to delete the entry for this file from registry file and restart Filebeat. In this the offset for this file will be recreated.

notricky · March 28, 2021, 6:50pm

Thanks!
What is the best way to do so?
Isnt there other places where info is stored?

notricky · April 11, 2021, 11:44pm

Any updates or ideas concerning my last question?

legoguy1000 · April 12, 2021, 12:19am

The registry is where filebeat tracks what lines on what files have been read. You should be able to remove the info for the one file ur interested in and restart filebeat as mentioned in the above post.

notricky · April 16, 2021, 11:40pm

So what is the way to do that securely with no impact on consistency to the rest files and the filebeat itself?

In example, if I change registry file anyway - then the reg file is recreteated from the top or even fb is not starting anymore after that.

So what is the way to do that?

stephenb · April 17, 2021, 12:03am

You could just copy the log file to a new file then it will get loaded when Filebeat starts...

Then as your original file starts to get more logs they will get picked up.

Then you can get rid of the copy...

notricky · April 17, 2021, 12:16am

Let me explain again.

I have these logs:

ABC.log
DEF.log
XYZ.log

ABC.log file was already processed and logs were shipped to outer system. This log is no longer being updated.
I want ABC.log to be reshipped again, while other files (DEF, XYZ) remains processed and shouldn't be reshipped.
All log files also must be kept (removes or deletings are prohibited).

So what I can do in that case?

stephenb · April 17, 2021, 12:23am

Then the only way I know of is hand edit the registry and remove the entry for that log file.

Or make a copy to somewhere else and load it.

Perhaps someone else will have a better idea

notricky · April 17, 2021, 12:24am

If I do as you suggest - just double the wanted file and then delete it - what is the way to find if a file was shipped? What is the programmic command to ask filebeat if it has finished shipping of ABC.log file?

notricky · April 17, 2021, 12:26am

As I've mentioned - any edit of registry file leads to unpredictable fb behaviour. Seems like there are other places where fb stores some data to check registry's file integrity.

stephenb · April 17, 2021, 12:32am

Depending on the size ...

I count the number of logs in the file.

wc -l ABC.log

Then load it and use Kibana Discover

Filter on log.file.path for that file and see if the counts match.

notricky · April 17, 2021, 12:34am

I see.
What if I'm not using elastic or kibana?

Is there any CLI interface to filebeat itself of any bash script that is applicable (the one that can be automated at last) in this case?

stephenb · April 17, 2021, 12:41am

Hmmm....

Count the entries in your destination?

Otherwise not easily, Filebeat does report the number of events shipped... But it is a little hard to decipher... every 30s it reports / logs statistics which include the number events shipped you would need to capture all those and add them up...

You would need to configure for just that file so you don't accidentally load other logs.

notricky · April 17, 2021, 2:16am

Keeping in mind that filebeat hashes the filename to track if the file was renamed, isnt there a possibility to add this kind of functionality as a CLI command?
i.e.:
$ filebeat ship <filename>
or
$ filebeat reset stats <filename>
Also I didn't undestand registry's file contents. Is there any docs about it, 'cause there are plenty of differently formatted lines in it that provides info about log file offset, but why format differs (json-keys are sorted differently from line to line) - I didnt get it.
Another history - is that occasionaly another file with name 789543.log is created right next to registry file. This file is not permanent and the number changing all the time. Didnt get it what it means as well. Any directions?

stephenb · April 17, 2021, 2:28am

@notricky

Feel free to file a feature request against the beats repo here

The registry today does not have an API and the contents is not officially documented and is really not intended to be edited, edit at your your own risk.

notricky · April 20, 2021, 10:11am

Ok, thanks.

Did as you suggest and have created an issue:

Whoever is interested in this feature please follow there and contribute with thumbsup! )

system · May 18, 2021, 12:11pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.