Discuss the Elastic Stack

Ignore all files in s3 and read only current files from S3

Elastic Stack Logstash

user2416 (user2416) October 3, 2019, 6:07pm 1

how to ignore old files and push only latest log files from S3 using logstash. We are using logstash to push cloudtaril logs from s3 to elasticsearch. Cloudtrail logs are in below format

/AWSLogs/CloudTrail/xxxAccount Numberxxxx/aws-region/year(YYYY)/Month(MM)/day(DD)/

I need to pull only latest data(like data form current month), as the entire bucket has huge terrabytes of data and logstash is not able to scale that much data. Is there a way to do this?

larrylui October 14, 2019, 6:56am 2

have a try with start_position and sincedb_path

user2416 (user2416) October 15, 2019, 5:45pm 3

@larrylui I tried them, but logstash is listing all the files everytime first and then push data from the timestamp set in sincedb path. But even listing files is taking 3-4hrs everytime.

system (system) Closed November 12, 2019, 5:45pm 4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views	Activity
Listing all files in S3 everytime new file is added Logstash	1	324	November 7, 2019
Tell Logstash to ignore old files in s3 bucket Logstash	3	1595	May 4, 2020
Logstash s3 input, ignore old files Logstash	1	605	June 4, 2018
S3 input plugin. Parse again an S3 bucket Logstash	3	627	September 11, 2019
Logstash sometimes skipping files on S3 Logstash	1	565	October 29, 2018

© 2020. All Rights Reserved - Elasticsearch

Elasticsearch is a trademark of Elasticsearch BV, registered in the U.S. and in other countries
Trademarks
Terms
Privacy
Brand
Code of Conduct

Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.