Is it expected that filestream input picks up all documents again when file is updated again after close.on_state_change.inactive is exceeded?

jori-be · March 15, 2024, 5:28pm

Hey all,

I'm using Filebeat 8.11.3 and I noticed that it sometimes resubmits documents that it already handled before.
So I'm wondering what the expected behaviour is of Filebeat.
There is a setting filestream input | Filebeat Reference [8.11] | Elastic.

How I think it works in this version is that the filestream input starts reading a file. In case it doesn't receive any new documents anymore in that file and the close.on_state_change.inactive time is exceeded, filebeat closes the handles for that file.
That makes sense to me.
But when there are new documents again after this time is exceeded, filebeat reprocesses all documents again.

Is this expected behavior? If not, how is it supposed to work?

Just for reference, this is input config I'm using:

filebeat:
    inputs:
    -   close.on_state_change.inactive: 10m
        enabled: true
        id: some_id_log
        paths:
        - /data/log/app/appparsed/*/app-*.log*
        prospector.scanner.exclude_files:
        - \.gz$
        type: filestream

10 minutes before the first log below, the logs were stopped and the handles was closed as expected.
Filebeat logs:

{"log.level":"info","@timestamp":"2024-03-14T08:52:55.387+0100","log.logger":"input.filestream","log.origin":{"file.name":"filestream/input.go","file.line":336},"message":"Reader was closed. Closing. Path='/data/log/app/appparsed/TEST-8-2-B-FGPVRPP-P-NI/app-TEST-8-2-B-FGPVRPP-P-NI.log'","service.name":"filebeat","id":"some_id_log","source_file":"filestream::some_id_log::native::536879026-64770","path":"/data/log/app/appparsed/TEST-8-2-B-FGPVRPP-P-NI/app-TEST-8-2-B-FGPVRPP-P-NI.log","state-id":"native::536879026-64770","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-03-14T08:53:20.378+0100","log.logger":"input.filestream","log.origin":{"file.name":"filestream/input.go","file.line":274},"message":"File was truncated. Reading file from offset 0. Path=/data/log/app/appparsed/TEST-8-2-B-FGPVRPP-P-NI/app-TEST-8-2-B-FGPVRPP-P-NI.log","service.name":"filebeat","id":"some_id_log","source_file":"filestream::some_id_log::native::536879026-64770","path":"/data/log/app/appparsed/TEST-8-2-B-FGPVRPP-P-NI/app-TEST-8-2-B-FGPVRPP-P-NI.log","state-id":"native::536879026-64770","ecs.version":"1.6.0"}

Thanks in advance!

leandrojmp · March 15, 2024, 6:05pm

Is this a network share or a path in the disk?

jori-be · March 19, 2024, 12:49pm

It is a local path, XFS filesystem

system · April 16, 2024, 2:49pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filebeat holding open handles on deleted files Beats filebeat	3	866	October 1, 2021
Filebeat filestream input rereading rotated log files Beats docker , filebeat	15	2723	June 9, 2022
Filebeat: Exiting: Can only start an input when all related states are finished Beats filebeat	20	17646	October 16, 2018
Filestream input sends duplicates events on restart and during operation Beats filebeat	34	1755	July 23, 2023
Filebeat. Read each time from the beginning of the file. How? Beats filebeat	1	470	March 16, 2023

Is it expected that filestream input picks up all documents again when file is updated again after close.on_state_change.inactive is exceeded?

Related topics