Logstash 2.4.0 running on cmd but not as windows service

OS: windows server 2012 R2 Standard
Logstash 2.4.0
elasticsearch 2.1

I have sample log file
Timestamp Process TID Area Category EventID Level Message Correlation
06/07/2017 08:41:05.53 OWSTIMER.EXE (0x11DC) 0x09B4 SharePoint Foundation Timer 5utp Verbose Scheduled timer job Timer Service Lock Management, id {54C2091B-BD1B-4EDF-9611-CC825BD7BC91} at 07 Jun 2017 08:42:05 +0200 (now is 07 Jun 2017 08:41:05 +0200)
06/07/2017 08:41:05.53 OWSTIMER.EXE (0x11DC) 0x09B4 SharePoint Foundation Timer 5utp Verbose Scheduled timer job Health Statistics Updating, id {2E5817F6-132E-41E5-A4C7-EC63412FCC6D} at 07 Jun 2017 08:42:05 +0200 (now is 07 Jun 2017 08:41:05 +0200)
06/07/2017 08:41:05.53 OWSTIMER.EXE (0x11DC) 0x1940 SharePoint Foundation Timer 8e45 Verbose Begin invoke timer job Timer Service Lock Management, id {54C2091B-BD1B-4EDF-9611-CC825BD7BC91}, DB n/a 7506728f-1f02-4943-8886-78da52a83579

below is my logparser.conf

input{
file{
type => "logs"
path => [ "D:/share/St-logs/Sh/ST-W2284-20170607-*.log" ]
codec => multiline {
negate => true
pattern => "(^%{DATESTAMP})"
what => "previous"
charset => "UTF-8"
}
start_position => "beginning"
}
}
filter
{
if [message] =~ /^Timestamp/
{
drop { }
}

if [type] == "logs" {
	grok{
		match=>["message","%{DATESTAMP:timestamp}%{SPACE}%{DATA:process}%{SPACE}\(%{WORD:pid}\)%{SPACE}%{WORD:tid}%{SPACE}%{DATA:area}%{SPACE}+\t+%{DATA:category}%{SPACE}\t+(%{WORD:event_id})\t+(%{WORD:level})\s+%{GREEDYDATA:message}"]
		overwrite => ["message"]
	}
	mutate{
		add_field=>{
			"server"=>"W2284"
		}
	}
	date{
		match => ["timestamp","MM/dd/yyyy HH:mm:ss.SSS"]
		remove_field=>["timestamp"]
	}
}

}
output{
stdout { codec=>rubydebug }
elasticsearch{
hosts=>"xx.xx.xxx.xx:9200"
index=>"sh"
}
}

I am able to index data using cmd but as a windows service. I am not able to index.
I did logging for both using cmd and for windows service. The only difference I found was the difference in sincedb_path
While using cmd, sincedb_path: C:\Users\a_jyop/.sincedb_f6b660121cde1f69fbd71b1dc641d9b6
While using windows service, sincedb_path: C:\Windows\system32\config\systemprofile/.sincedb_f6b660121cde1f69fbd71b1dc641d9b6

in the sincedb files there is difference:

C:\Users\a_jyop/.sincedb_f6b660121cde1f69fbd71b1dc641d9b6
[‎6/‎12/‎2017 7:31 PM] Garimella, Sarada:
2661828561-108871-9830400 0 0 1189592
2661828561-108871-9830400 0 0 1189592
2661828561-108884-12517376 0 0 1447660
2661828561-108910-20971520 0 0 1143470
2661828561-108999-38469632 0 0 1267308
2661828561-109281-29097984 0 0 1157182
2661828561-109395-25427968 0 0 1197952
2661828561-109525-17432576 0 0 1236082
2661828561-109597-12713984 0 0 1214404
2661828561-109621-22020096 0 0 1189918
2661828561-110299-8912896 0 0 1229537
2661828561-110426-15597568 0 0 1201262
2661828561-61943-27328512 0 0 1148822
2661828561-110611-15532032 0 0 1285101
2661828561-111769-16580608 0 0 1344181
2661828561-111896-27459584 0 0 1232002
2661828561-111937-13697024 0 0 1274662
2661828561-109983-10354688 0 0 1245332
2661828561-110123-16187392 0 0 1290263
2661828561-111749-23134208 0 0 1328366
2661828561-112072-26279936 0 0 1388416
2661828561-112089-19988480 0 0 1096614
2661828561-61767-9764864 0 0 1043846
2661828561-113787-19202048 0 0 1108782
2661828561-113902-39452672 0 0 1043779
2661828561-113954-35061760 0 0 1190430
2661828561-114008-34078720 0 0 1043615
2661828561-114074-32505856 0 0 1141517
2661828561-114096-22413312 0 0 1042371
2661828561-114049-25755648 0 0 1154772
2661828561-113987-27459584 0 0 1126272
2661828561-114001-43253760 0 0 1234031
2661828561-114551-41287680 0 0 437942

C:\Windows\system32\config\systemprofile/.sincedb_f6b660121cde1f69fbd71b1dc641d9b6
0 0 0 0

why the second file is giving 0 ?
what should I infer from this ?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.