Hi,
I am still facing issue for tracking the current position of the log file being read.
Whenever I restart the logstash agent, it starts reading for the start due to which I am getting duplicate entries in my elastic search.
Please help to solve this issue
This sounds like a sincedb problem. What is your config when you try to load your input files? I know there is a dev input style that people use when they want to make sure logstash is working. If you want to clear your elasticsearch just send it a curl -XDELETE 'localhost:9200/_all'. That is the default command
My config while trying to load a file like this
input{
file{
Path=>"/etc/sample.log"
type=>"sample"
sincedb =>"/etc/"
}
}
The command to delete the logs from elastic search may be useful but that cannot be done everytime i restart logstash in production environment.
Is there any solution for this problem?
In the past when people have had HP-UX issues I believe it's been because of JRuby problems and that's not easily fixed by the Logstash folks. HP-UX isn't an officially supported platform for Logstash; see https://www.elastic.co/subscriptions/matrix.
Note that with sincedb => "/etc/" you need to run Logstash as a user with write permissions to /etc, which typically means root. Are you? (If yes, stop doing it. Logstash should not run as root.)
@Kumaravel try using a full path to sincedb instead of a directory, like
file {
path => "/etc/sample.log"
sincedb_path => "/etc/since.db"
}© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.