Hi,
I have configured Logstash to run on a log file that I have. I have specified the path in the configuration, and I have added some other stuff in the file configuration:
input {
file {
path => "C:\users\XXX\Downloads\Logstash\server.log.2017-08-01"
start_position => "beginning"
codec => multiline {
pattern => "^(\d{4}-\d{2}-\d{2}\s*)?\d{2}:\d{2}:\d{2},\d{3}" # Time indicates a new line.
negate => true
what => previous
charset => "ASCII"
}
}
}
The problem is that, when I start logstash and the log file is where it's supposed to be, nothing happens. I have to open the file, and like add a space or something (Just make a modification) and then save the file again to make logstash start analysing my logs.
Why does this happen? What I want is to make Logstash start directly without me modifying the file.
start_position => "beginning" only matters the first time Logstash sees a file. Even with this setting Logstash won't start from the beginning every time. Read about sincedb in the file input documentation.
Thank you.
But removing the line didn't solve the problem.
I launched Logstash, I copied the file into the correct path and Logstash is still on hold.
Same behavior occurs when I start Logstash with the file already in the correct path.
I found the solution. There's two options:
1- I have added the sincedb_path into the configuration
2- Launched Logstash with a new log file (Renamed the old one)
3- Before starting Logstash again, I removed the sincedb file that was generated in the path I specified in my previous configuration, and restarted Logstash again. It started analyzing directly.
So I just had to "reset" it's position.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.