Thanks for getting back to quick!
Here's my logstash conf for /var/log/test file:
input {
file {
type => "syslog"
path => ["/var/log/test"]
start_position => "beginning"
}
}
filter {
grok {
match => { "message" => "%{WORD:yes}"}
}
}
output {
elasticsearch {
action => "index"
hosts => "localhost:9200"
index => "test"
workers => 1
}
stdout {}
}
I run "logstash -f" and it takes it no problem. Indexing it into Kibana has no issue either.
After adding it in Kibana as an index pattern... the field "yes" shows up with a unique count of "1". But if /var/log/test is modified to say "no", nothing happens. When I restart Logstash... the unique count of "yes" goes up to "2".
Essentially what I want is for that count to go down to "0" if the file ever says log with a minimal amount of restarting services. I'm not sure if I'm going about it entirely the wrong way.
Thanks again!