Logstash not parsing every file

jamesp220291 · May 23, 2019, 7:53am

Hi All.

I have logstash set up to parse/ingest a local directory on my server.

The directory is for a CDN log files which are fetched every 10 minutes.
Unfortuantly the CDN produces a new log file multiple times a minutes ( so for example I have over 1000 log files for 1am-8am today).

The logs are never appended too, so just need to be read and then forgotten about.

Logstash seems to be struggling to parse these.

if i go into the directoy and run "zcat *.log.gz | wc -l it shows 103,884 lines, yet only 11,620 hits are showing in Kibana for today.

I would expect kibana to show 103,884 lines.

Looking in the file_completed_log it does seem to be missing quite a few out.

My config file for input is below -

input {
file {
path => "/data/logs/*.log.gz"
sincedb_path => "/data/logstash-db/sincedb"
mode => "read"
file_completed_action => "log"
file_completed_log_path => "/data/logstash-db/file_completed_log"
}
}

The log files are called - cds_20190522-154421-57378698007ch4.log.gz (ect ect)

Can anyone think of why this could be happening? Is logstash known for struggling with lots of small files?

AquaX · May 27, 2019, 8:55pm

Have you tried adding the gzip codec to your file input?
https://www.elastic.co/guide/en/logstash/current/plugins-codecs-gzip_lines.html

jamesp220291 · May 28, 2019, 6:36am

Hi,

Thanks for your response!.

This plugin is all ready installed.

The logstash works for some time, it has been working over the weekend but then randomly decided to stop @ 6pm on sunday (with no errors in the logs).

It's really frustrating me how it works for a few days, then just crashes/stops for no reason.

I then have to restart elasticsearch/logstash and it starts working again.

kirangavali · May 28, 2019, 10:29am

Hello @jamesp220291 can you please share the output plugin configuration details.
I mean how you configure the logstash output with the elasticsearch as input and logstash output with kibana as input.

jamesp220291 · May 28, 2019, 12:32pm

Hi

See below -

input {
file {
path => "/data/logs/*.log.gz"
sincedb_path => "/data/logstash-db/sincedb"
mode => "read"
file_completed_action => "log"
file_completed_log_path => "/data/logstash-db/file_completed_log"
}
}

output {
elasticsearch {
hosts => ["localhost:9200"]
index => "logs-%{+YYYY.MM.dd}"
document_type => "logs"
}

stdout { codec => rubydebug }

}

This is the input/output part of the logs.

Topic		Replies	Views
Logstash does not pick up all gzip log files Logstash	2	627	April 23, 2021
Logstash is only partially reading input files Logstash	5	1918	August 7, 2017
Logstash skipped half of log file Logstash	5	845	October 4, 2018
Logstash does not parse all logs with file as input Logstash	2	247	July 13, 2021
How to efficiently parse log files in logstash? Logstash	3	473	July 16, 2018

Logstash not parsing every file

stdout { codec => rubydebug }

Related topics