Logstash sincedb file issue

rahulnama · August 20, 2020, 11:08pm

Hi Team

My elk is on docker and I'm mounting sincedb file to mounted volume.

I changed the directory of logstash file input and recreated the docker container.

I see log data of only one file in elasticsearch though having 5 matching files for the input pattern.

I opened sincedb file and i saw this

!

But, none of the above files are in Elasticsearch. Also, there is no index created for that date pattern.

I opened sincedb after some time, All of them disappeared. I'm able to see only this.

Not sure why this is happening. I checked multiple times. and everytime sincedb file is changing.

However, my concern is data from that folder is not indexing into es. I see data only from one file despite having 5 files. Any suggestions on this ?

here is my input config:

 file {
        path => "/usr/share/logstash/data/sincedb/logs/phxalfresco-6bfdbdcc47-8pbb5_logs/access-2020-**.log"
        type => "access-log"
         sincedb_path => "/usr/share/logstash/data/sincedb/.sincedb"
}
    }

Thanks for your time

system · September 17, 2020, 11:08pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Restarting logstash container sends events again to elastic, despite sincedb Logstash docker	8	645	March 14, 2023
Handling duplicate data in Logstash + Elastic Search Logstash	3	846	February 25, 2018
Logstash Sincedb duplicate entries Logstash	2	182	November 29, 2023
Logstash on docker: configure sincedb file to use the last indexed position whenever container restarts/new Logstash docker	12	1855	August 14, 2020
Deleted sincedb files, no new are getting created Logstash	6	1646	July 6, 2017

Logstash sincedb file issue

Related topics