I am reading an audit file using log stash. The problem is log stash doesn't read the last record in a file let's call that record X. when I push another record in a file let's call it Y. it reads the X and presents it in output but it doesn't show Y in the output. This goes on. When I stop the log stash it then reads the last record in a file and shows it in output.
I need some suggestion or solutions to solve this issue.
Are you using a multiline codec?
Yes I am using it.
Using the auto_flush_interval option might help. A multiline codec will not push an event until it has a complete event, for some configurations that means it needs to see the first line of the next event before it can push the previous event into the pipeline.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.