Logstash not showing any output (SOLVED)

I'm starting off with Logstash, working through the tutorials. I find the plugin documentation very lacking for someone with no experience with logstash. Here is the config file I am starting with:

input {
    file {
        path => "/Users/brad/Workspaces/unirisk.python/logstash/files/perflog.csv"
        start_position => beginning
    }
}

output {
    stdout { }
}

I am running logstash on a Macbook Pro, version 1.5.4, installed via homebrew. My startup is:

logstash -f test.conf

This simply results in:

Logstash startup completed

I should be seeing the lines from my CSV file (right?). But nothing. What am I missing? Do I need to install the input file plugin? I notice that plugin list shows no installed plugins. I try installing by:

sudo plugin install logstash-input-file

but I get the following:

-> Installing logstash-input-file...
Trying https://github.com/null/logstash-input-file/archive/master.zip...
Failed to install logstash-input-file, reason: failed to download out of all possible locations..., use --verbose to get detailed information

Confused and stuck.

By default Logstash will tail files. With start_position => beginning it will indeed read files from the beginning but only files that it hasn't seen before. I'm guessing that Logstash for some reason thinks it has seen and processed your perflog.csv and that it's now waiting for additional data to be appended to it. A recent pull request adds more documentation about how the file input plugin works, including information about how to reset the state information that Logstash keeps so that it actually starts from the beginning.

Thanks. I found a couple of ~/.sincedb* files and removed them. When I reran logstash there is still no output.

Is the file input plugin included by default? Do I need to install it? There are no errors when I run logstash, so guessing not.

Doing something so simple is indeed very frustrating and does not make logstash very appealing. I've already written a python script to process the file.

That's odd. Start Logstash with -v to get verbose log output. It should tell you if it has any problems opening the file (e.g. permission problems or a typo in the filename pattern). Otherwise it'll tell you what sincedb file it uses and what the current file offset is.

Seems odd. Here is what I get:

logstash -f ./test.conf  -v

Output:

Grok loading patterns from file {:path=>"/usr/local/Cellar/logstash/1.5.4/libexec/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-0.3.0/patterns/aws", :level=>:info}
Grok loading patterns from file {:path=>"/usr/local/Cellar/logstash/1.5.4/libexec/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-0.3.0/patterns/bro", :level=>:info}
Grok loading patterns from file {:path=>"/usr/local/Cellar/logstash/1.5.4/libexec/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-0.3.0/patterns/firewalls", :level=>:info}
Grok loading patterns from file {:path=>"/usr/local/Cellar/logstash/1.5.4/libexec/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-0.3.0/patterns/grok-patterns", :level=>:info}
Grok loading patterns from file {:path=>"/usr/local/Cellar/logstash/1.5.4/libexec/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-0.3.0/patterns/haproxy", :level=>:info}
Grok loading patterns from file {:path=>"/usr/local/Cellar/logstash/1.5.4/libexec/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-0.3.0/patterns/java", :level=>:info}
Grok loading patterns from file {:path=>"/usr/local/Cellar/logstash/1.5.4/libexec/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-0.3.0/patterns/junos", :level=>:info}
Grok loading patterns from file {:path=>"/usr/local/Cellar/logstash/1.5.4/libexec/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-0.3.0/patterns/linux-syslog", :level=>:info}
Grok loading patterns from file {:path=>"/usr/local/Cellar/logstash/1.5.4/libexec/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-0.3.0/patterns/mcollective", :level=>:info}
Grok loading patterns from file {:path=>"/usr/local/Cellar/logstash/1.5.4/libexec/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-0.3.0/patterns/mcollective-patterns", :level=>:info}
Grok loading patterns from file {:path=>"/usr/local/Cellar/logstash/1.5.4/libexec/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-0.3.0/patterns/mongodb", :level=>:info}
Grok loading patterns from file {:path=>"/usr/local/Cellar/logstash/1.5.4/libexec/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-0.3.0/patterns/nagios", :level=>:info}
Grok loading patterns from file {:path=>"/usr/local/Cellar/logstash/1.5.4/libexec/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-0.3.0/patterns/postgresql", :level=>:info}
Grok loading patterns from file {:path=>"/usr/local/Cellar/logstash/1.5.4/libexec/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-0.3.0/patterns/rails", :level=>:info}
Grok loading patterns from file {:path=>"/usr/local/Cellar/logstash/1.5.4/libexec/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-0.3.0/patterns/redis", :level=>:info}
Grok loading patterns from file {:path=>"/usr/local/Cellar/logstash/1.5.4/libexec/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-0.3.0/patterns/ruby", :level=>:info}
Registering file input {:path=>["/Users/brad/Workspaces/unirisk.python/logstash/files/*.csv"], :level=>:info}
No sincedb_path set, generating one based on the file path {:sincedb_path=>"/Users/brad/.sincedb_1f52c18f93dfb3a2d1e9d32a99f75566", :path=>["/Users/brad/Workspaces/unirisk.python/logstash/files/*.csv"], :level=>:info}
Pipeline started {:level=>:info}
Logstash startup completed

Even specifically naming the file gives the same result - no output.

Registering file input {:path=>["/Users/brad/Workspaces/unirisk.python/logstash/files/perflog.csv"], :level=>:info}
No sincedb_path set, generating one based on the file path {:sincedb_path=>"/Users/brad/.sincedb_2b825ae5328f34901ed3c365067fcac8", :path=>["/Users/brad/Workspaces/unirisk.python/logstash/files/perflog.csv"], :level=>:info}
Pipeline started {:level=>:info}
Logstash startup completed

Hmm. Okay. What's in the sincedb file? If you delete it again and enable verbose logging with --debug, what does it say? The relevant code starts at tail.rb:143.

Thanks for trying to help me figure this out.

Contents of the .sincedb file:

cat .sincedb_2b825ae5328f34901ed3c365067fcac8 
14346855 1 4 0

The debug is too long for a single post. Here is a link to the output via Evernote:

Logstash debug output

I figured out the problem with plugins. I had elasticsearch installed too, which has a "plugin" in the path. I was inadvertently running the wrong plugin. Running the logstash version of plugin revealed that all the plugins were already installed.

Just for grins, I removed the homebrew installs of logstash, elasticsearch, & kibana. Then subsequently installed these manually from fresh downloads. Unfortunately, I'm having exactly the same problem. Nothing is jumping out at me in the debug file. Hmmm....

EDIT: This is crazy. I changed the output to:

output {
    file {
        path => "/Users/brad/test.txt"
    }
}

The output file does not get created. I also tried running logstash as sudo, but still no output.

Try;

input {
  stdin {}
}

And then cat the file into LS - cat /Users/brad/Workspaces/unirisk.python/logstash/files/perflog.csv | logstash -f test/conf.

No output.

cat files/perflog.csv  | logstash -f files/test2.conf -v
Pipeline started {:level=>:info}
Plugin is finished {:plugin=><LogStash::Inputs::Stdin debug=>false, codec=><LogStash::Codecs::Line charset=>"UTF-8">>, :level=>:info}
Logstash startup completed
Plugin is finished {:plugin=><LogStash::Outputs::Stdout codec=><LogStash::Codecs::Line charset=>"UTF-8">, workers=>1>, :level=>:info}
Pipeline shutdown complete. {:level=>:info}
Logstash shutdown completed

I manually installed logstash on my mint virtual machine. Used the stdin and stdout version of the config file. No output. Exactly the same result. This has to be some sort of bug in logstash.

cat files/perflog.csv  | logstash -f files/test2.conf -v
Pipeline started {:level=>:info}
Plugin is finished {:plugin=><LogStash::Inputs::Stdin debug=>false, codec=><LogStash::Codecs::Line charset=>"UTF-8">>, :level=>:info}
Logstash startup completed
Plugin is finished {:plugin=><LogStash::Outputs::Stdout codec=><LogStash::Codecs::Line charset=>"UTF-8">, workers=>1>, :level=>:info}
Pipeline shutdown complete. {:level=>:info}
Logstash shutdown completed

Either logstash is majorly messed up or I'm missing something really basic. For completeness I downloaded version 1.4.2. Same result.

EDIT 1:
I cannot reply any longer due to a daily limit. Here is the config:

input {
    stdin {}
}

output {
    stdout {}
}

EDIT 2: Still cannot reply due to daily limit
Problem solved! It turns out my first logfile I am testing with is using old style line endings. This was no problem for my python program processing the CSV file, no problem for sublime or intellij. No problem even for Microsoft Excel running on my Mac. But cat didn't like it, and neither did logstash.

Can we see your entire config?

I know this is a really old post - but like to contribute back. But I had the same issue. I was able to solve it for my part.

Putting in debug mode I was able to get an important message:
_discover_file: /Users/wtaylor/Downloads/logstash-2.2.2/bin/Wayne.csv: skipping because it was last modified more than 86400.0 seconds ago {:level=>:debug, :file=>"filewatch/watch.rb", :line=>"310", :method=>"_discover_file"}
Pushing flush o

When I touched the log file I was reading in boom data started to process

does this mean the file was created too long ago?

I'm having similar issues: deal with old files and a lot of them. And so is there any way to change this "86400 second" limitation?

does this mean the file was created too long ago?

No, it means the file was modified too long ago.

I'm having similar issues: deal with old files and a lot of them. And so is there any way to change this "86400 second" limitation?

hi...
when i run logstash config file .it display output but when we run it again then no output displayed.
its new for me.
i installed logstash 2.2,elasticsearch 2.2 and kibana 1.4.
plz reply soon .its urgent.

Please start a new thread.