Logstash not parsing every file

jamesp220291 · May 23, 2019, 7:53am

Hi All.

I have logstash set up to parse/ingest a local directory on my server.

The directory is for a CDN log files which are fetched every 10 minutes.
Unfortuantly the CDN produces a new log file multiple times a minutes ( so for example I have over 1000 log files for 1am-8am today).

The logs are never appended too, so just need to be read and then forgotten about.

Logstash seems to be struggling to parse these.

if i go into the directoy and run "zcat *.log.gz | wc -l it shows 103,884 lines, yet only 11,620 hits are showing in Kibana for today.

I would expect kibana to show 103,884 lines.

Looking in the file_completed_log it does seem to be missing quite a few out.

My config file for input is below -

input {
file {
path => "/data/logs/*.log.gz"
sincedb_path => "/data/logstash-db/sincedb"
mode => "read"
file_completed_action => "log"
file_completed_log_path => "/data/logstash-db/file_completed_log"
}
}

The log files are called - cds_20190522-154421-57378698007ch4.log.gz (ect ect)

Can anyone think of why this could be happening? Is logstash known for struggling with lots of small files?

AquaX · May 27, 2019, 8:55pm

Have you tried adding the gzip codec to your file input?
https://www.elastic.co/guide/en/logstash/current/plugins-codecs-gzip_lines.html

jamesp220291 · May 28, 2019, 6:36am

Hi,

Thanks for your response!.

This plugin is all ready installed.

The logstash works for some time, it has been working over the weekend but then randomly decided to stop @ 6pm on sunday (with no errors in the logs).

It's really frustrating me how it works for a few days, then just crashes/stops for no reason.

I then have to restart elasticsearch/logstash and it starts working again.

kirangavali · May 28, 2019, 10:29am

Hello @jamesp220291 can you please share the output plugin configuration details.
I mean how you configure the logstash output with the elasticsearch as input and logstash output with kibana as input.

jamesp220291 · May 28, 2019, 12:32pm

Hi

See below -

input {
file {
path => "/data/logs/*.log.gz"
sincedb_path => "/data/logstash-db/sincedb"
mode => "read"
file_completed_action => "log"
file_completed_log_path => "/data/logstash-db/file_completed_log"
}
}

output {
elasticsearch {
hosts => ["localhost:9200"]
index => "logs-%{+YYYY.MM.dd}"
document_type => "logs"
}

stdout { codec => rubydebug }

}

This is the input/output part of the logs.

system · June 25, 2019, 12:32pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash crashed 2 days ago, now not parsing files Logstash	7	508	April 3, 2019
Read a constantly overwritten file Logstash	6	1105	March 23, 2017
Logstash has suddenly stopped reading input files Logstash	8	909	September 15, 2020
Logstash randomly skipping files Logstash	4	825	February 24, 2021
Duplicate data parsed by Logstash, which cause duplicate data in Elasticsearch index Logstash	5	1617	October 6, 2017

Logstash not parsing every file

stdout { codec => rubydebug }

Related topics