Force Filebeat to re process a file


I added a new file on the filebeat.yml. It went into elastic but some of the fields were not parsed correctly. This file is only updated once per day at 9AM.

I modified the filebeat.yml to properly parse the file but now filebeat refuses to send the file to elastic a second time.

I started by removing the bad data from my index.

POST filebeat-*/_delete_by_query
  "query": {
    "match": {

I stopped the filebeat service and I edited the .json file in the registry by fully removing the only line that referenced "/var/log/qrsender/qrsender.log"

After restarting the service, I got nothing in elastic from this file.

Next, I modified "/var/log/qrsender/qrsender.log" by adding a line, saving, and then deleting the line so that the OS shows it was updated.

This didn't work.

I checked the .json file in the registry and there was a new line pointing to "/var/log/qrsender/qrsender.log" with the offset of 20K+.

I changed the offset to 0 and saved the file.

This didn't work.

I ran filebeat setup -e

This didn't work

filebeat test config returns Config OK

I checked the .json file and it again has the offset for "/var/log/qrsender/qrsender.log" at 22K+

I've been working on this for hours and it's quite frustrating. How can I get this file into elastic? I don't want to delete the entire registry as I have millions of documents.

Thanks in advance.

Here is the relevant parts of my filebeat.yml

- type: log
  enabled: true
    - /var/log/qrsender/*.log
  json.keys_under_root: true
  json.add_error_key: true


  - add_host_metadata:
      when.not.contains.tags: forwarded
  - add_cloud_metadata: ~
  - add_docker_metadata: ~
  - add_kubernetes_metadata: ~
  - decode_json_fields:
      fields: ["error"]
      process_array: false
      max_depth: 1
      target: ""
      overwrite_keys: true
      add_error_key: false
  - rename:
      - from: "error"
        to: "error.message"
      ignore_missing: true

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.