Input file start_position => "beginning" doesn't work even after deleting .sincedb files

Prathamesh · February 19, 2017, 6:16am

Hello World

Version: ElasticSearch-5.2.1/Logstash-5.2.1/Kibana-5.2.1
OS: Windows 2008

I've just started working on the ELK Stack & am facing some problems loading data
I've got the following .json code

input {
  file {
    path => "D:\server.log"
	start_position => beginning
  }
}
filter {  
        grok {
                match => ["message","\[%{TIMESTAMP_ISO8601:timestamp}\] %{GREEDYDATA:log_message}"]
            }
			date {
match => ["timestamp", "dd/MMM/yyyy:HH:mm:ss Z"]
target => "@timestamp"
}
        }
output {
  elasticsearch {
    hosts => "localhost:9200"
  }
}

I've deleted the .sincedb files

And yet when I extract log info in Kibana, I can see data starting only since I first parsed
I've got data worth 2-3 months in my log file

Please advise

Thanks
P

magnusbaeck · February 22, 2017, 6:37am

Hard to tell what's going on. If you increase Logstash's log level and check your logs you'll get clues about what the file input is doing.

Topic		Replies	Views
File input monitoring a file or folder always reads from beginning Logstash	2	786	July 6, 2017
File input not working - logstash 2.2.2 Logstash	5	1385	July 6, 2017
Reading from first Logstash	14	478	July 9, 2018
Logstash + sincedb_path and start_position Logstash	2	14818	July 6, 2017
Logstash startup completed nothing proceeds after this command in logstash Logstash	6	893	December 21, 2017

Input file start_position => "beginning" doesn't work even after deleting .sincedb files

Related topics