Logstash service restart : reading file from beginning

anoopmk007 · August 25, 2016, 6:41pm

Hello,

I am facing some issues with logstash service restart.
Every time when restart the service , then logstash start reading logs files from beginning.

Any idea how to resolve this?

logstash configuration:-

input {
file{
path => "E:/DashBoard/OUTBOUND/*"
start_position => "end"
}
}

filter
{
kv {
source => "message"
value_split => "]"
field_split => ","
trimkey => "["
}

mutate
{
add_field =>["[geoip][location]","%{[latitude]}"]
add_field =>["[geoip][location]","%{[longitude]}"]
}

mutate
{
convert =>["[geoip][location]","float"]

}
}

output {
elasticsearch { hosts => ["xx.xx.xx.xx:9200"] }
stdout { codec => rubydebug }
}

magnusbaeck · August 25, 2016, 8:23pm

I'm guessing Logstash is having issues writing the sincedb file (or reading it upon startup). Look in your logs for clues about sincedb. You may have to crank up the logging by starting Logstash with -v or even -d.