I would like to check if logstash is able to read updated logs instead of appended logs.
For example, my program generates an XML log over time but the XML data is updated into the log file which means there is no new lines in the log file, just minor changes. Can logstash read such information?
If so, what is the configuration?
In addition, the current XML log is a single line and logstash doesn't read the line until I forcefully append a new line to it. Is there a way for logstash to read the single line log file?
For example, my program generates an XML log over time but the XML data is updated into the log file which means there is no new lines in the log file, just minor changes. Can logstash read such information?
It depends. Exactly how is the file updated? Rewritten in place (same inode)? Brand new file each time?
In addition, the current XML log is a single line and logstash doesn't read the line until I forcefully append a new line to it. Is there a way for logstash to read the single line log file?
You mean the file doesn't end with a newline character? No, the file input doesn't support that.
I suppose you could use an exec input that just runs "cat filename.xml". If you're outputting the data to ES you could use the duplicate avoidance technique described in a recent elastic.co blog post.
The file is updated via changes to the file (exact same file name).
For example, there is a <Status>Started</Status> in the file and after some time gets change to <Status>Error</Status>
Could you give more details as to how to use an exec to run "cat" in the input section in the logstash.conf?
And yes I am outputting data to ES so could u refer me to the recent blog post?
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.