Logstash big files

txisme · November 16, 2016, 4:58pm

Hey, recently i sent to logstash with filebeat a 5GB log text data and it just broke logstash. Is there any problem with sending big files at once?

eperry · November 16, 2016, 5:17pm

How did it break logstash?

Logs of logstash, error message and maybe your filebeat and logstash config would help diagnose it.

txisme · November 16, 2016, 5:22pm

Logstash and filebeat work perfect if im sending relatively small logs.

There are no logs messages, it simply stops working after processing some logs of that file
Only way to fix is to stop filebeat to harvest that specific file and restart logstash

txisme · November 16, 2016, 5:25pm

Is it possible that logstash or filebeat simply are on hold while they process the big file? And that if i wait a long time everything will appear?

EDIT: after 30min of waiting i notice that every index is getting bigger but at a very very slow rate. Less than 1000 docs were indexed.

eperry · November 16, 2016, 6:42pm

no it would have to be the config, since filebeat and logstash break files in to lines you could have infinate size files

A size of the file makes no difference it is what filebeat and logstash are doing with it.

For exxample an misconfigured multiline will eat up heap space. and you should have OOM errors in logstash

filebeat I am less familar with but I would imagine as fast as it can process the file and ship it off that is all

but this is all speculation without seeing logs and configs.

there is no known issue with log sizes I personally send 100G files with no problem.

txisme · November 17, 2016, 10:20am

Filebeat 1.3
Logstash 1.4 EDIT: 2.4

Filebeat prospector config:

    -
  paths:
    - "/root/tracy/logs/*.out"
  input_type: log

  fields:
    log_type: tracy

  multiline:
    pattern: '^Offset'
    negate: true
    match: after

Filebeat Log:
It doesnt even create a log file

Logstash config:

input {
    beats{
            port => 5044
    }
}
filter{
 if([fields][log_type]=="tracy"){
            grok{
                    match => {"message" => "(?m)%{WORD:check} = %{NUMBER:offset2:int}, %{WORD} = %{WORD:topic2}, %{WORD} = %{WORD:source2}, %{WORD} = %{WORD:type2}, %{WORD} = %{GREEDYDATA:value2}"}
            }
    }
}
output {
     if([fields][log_type]=="tracy"){
            elasticsearch{
                    hosts => [ "localhost:9200" ]
                    index => [ "tracy" ]
            }
}

Logstash Log:

Sending logstash logs to /var/log/logstash/logstash.log.
{:timestamp=>"2016-11-17T00:11:50.044000+0000", :message=>"Pipeline main started"}

txisme · November 17, 2016, 10:34am

Ok, i found the problem.

I was sending the output to ElasticSearch and to a fileoutput, it was that that was slowing down everything

Christian_Dahlqvist · November 17, 2016, 10:44am

I would recommend upgrading to a more recent Logstash release as 1.4 is almost anchient.

txisme · November 17, 2016, 10:45am

Sorry, i meant 2.4

Christian_Dahlqvist · November 17, 2016, 10:45am

That is much better.

system · December 15, 2016, 10:45am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.