I am trying to delete input files from directory once it was processed by Filebeat. Also wanted to confirm from filebeat that particular file is already processed so it is safe to delete. For that I tried few things on my conf file.
input {
file{
path => "C:/../../../*"
mode => "read"
sincedb_path => "NULL"
file_completed_action => "delete"
}
pipeline {
address => bamboolog
}
}
Can anyone please suggest or help what I am doing wrong because I am getting below error -
[2022-12-27T13:02:07,730][ERROR][logstash.javapipeline ] Pipeline error {:pipeline_id=>"bamboolog", :exception=>#<LogStash::ConfigurationError: Specifying action => 'update' needs a document_id.>,
[2022-12-27T13:02:07,757][ERROR][logstash.agent ] Failed to execute action {:id=>:bamboolog, :action_type=>LogStash::ConvergeResult::FailedAction, :message=>"Could not execute action: PipelineAction::Create, action_result: false", :backtrace=>nil}
[2022-12-27T13:05:57,991][WARN ][org.logstash.plugins.pipeline.PipelineBus] Attempted to send event to 'bamboolog' but that address was unavailable. Maybe the destination pipeline is down or stopping? Will Retry.
This is your error, in your elasticsearch output you set the action to be update, to use in this way you need to provide the value for the _id field of the document using the document_id option.
You need to set document_id to use the field with the _id of the document.
Here is my full conf file. I added document_id in output. I got error and files were deleted from the input folder.Ideally it should delete files once filebeat would also up and file would processed.
Also, use the preformatted button when sharing configurations, it makes it easier to understand, it is the </> button.
Sorry, just saw this now.
This is not possible, Logstash has no way to know if a File was already processed by filebeat or not, if you configure logstash to read a file that filebeat is also reading, and use the read mode, logstash will try to delete it when it finish processing.
Got some reference from this link - Deleting log files after they have finished processing
Firstly I tried to do this using Filebeat but then while searching found this above link and tried to do that using Logstash.
Please suggest what\how I could achieve that..?
There is nothing that I could suggest besides the already linked post.
Filebeat can not delete log files, only Logstash, if you need to delete log files after processing you need to use Logstash or use some external tool to delete the files after some time.
On Windows, if you do not want the in-memory sincedb persisted across restarts then set sincedb_path => "NUL". Setting it to NULL will persist it in a file called NULL in logstash's working directory.
@leandrojmp , I used Logstash to delete files and it does the same but before processing files from filebeat. But you mentioned - "Filebeat can not delete log files, only Logstash, if you need to delete log files after processing you need to use Logstash", but it is not doing as expected.
As I already said, Logstash has no way to know if Filebeat has processed the log or not, if you want to ingest a file and delete it, you need to use only Logstash, you can't use both as Logstash will keep deleting the files.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
