Input file start_position => "beginning" doesn't work even after deleting .sincedb files

Prathamesh · February 19, 2017, 6:16am

Hello World

Version: ElasticSearch-5.2.1/Logstash-5.2.1/Kibana-5.2.1
OS: Windows 2008

I've just started working on the ELK Stack & am facing some problems loading data
I've got the following .json code

input {
  file {
    path => "D:\server.log"
	start_position => beginning
  }
}
filter {  
        grok {
                match => ["message","\[%{TIMESTAMP_ISO8601:timestamp}\] %{GREEDYDATA:log_message}"]
            }
			date {
match => ["timestamp", "dd/MMM/yyyy:HH:mm:ss Z"]
target => "@timestamp"
}
        }
output {
  elasticsearch {
    hosts => "localhost:9200"
  }
}

I've deleted the .sincedb files

And yet when I extract log info in Kibana, I can see data starting only since I first parsed
I've got data worth 2-3 months in my log file

Please advise

Thanks
P

magnusbaeck · February 22, 2017, 6:37am

Hard to tell what's going on. If you increase Logstash's log level and check your logs you'll get clues about what the file input is doing.

system · March 22, 2017, 6:38am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.