I am reading an audit file using log stash. The problem is log stash doesn't read the last record in a file let's call that record X. when I push another record in a file let's call it Y. it reads the X and presents it in output but it doesn't show Y in the output. This goes on. When I stop the log stash it then reads the last record in a file and shows it in output.
I need some suggestion or solutions to solve this issue.
Are you using a multiline codec?
Yes I am using it.
Using the auto_flush_interval option might help. A multiline codec will not push an event until it has a complete event, for some configurations that means it needs to see the first line of the next event before it can push the previous event into the pipeline.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.