Hi,
on log rotation, inode doesnt change and it doesnt put any new entry in sincedb file.
If I stop and start logstash, then new entry with new inode gets created for current file(xx.log) and new data is being sent.
Solution seems like, whenever log rotation happens, I need to restart logstash. The same file is used by another process(splunk forwarder). Not sure if that create this issue.
ran fsutil file queryfileid filename to get inode in windows
before restart
--inode-600059c12
after restart
--inode-300064a15
checked the inode in sincedb -
untill restart, even after log rotation it has only one entry and timestamp and offset alone gets updated.
after restart, one more entry added with latest inode for xx.log and start sending new data.
Any possible solution, let me know. Thanks.