Hi Team
My elk is on docker and I'm mounting sincedb file to mounted volume.
I changed the directory of logstash file input and recreated the docker container.
I see log data of only one file in elasticsearch though having 5 matching files for the input pattern.
I opened sincedb file and i saw this
!
But, none of the above files are in Elasticsearch. Also, there is no index created for that date pattern.
I opened sincedb after some time, All of them disappeared. I'm able to see only this.
Not sure why this is happening. I checked multiple times. and everytime sincedb file is changing.
However, my concern is data from that folder is not indexing into es. I see data only from one file despite having 5 files. Any suggestions on this ?
here is my input config:
file {
path => "/usr/share/logstash/data/sincedb/logs/phxalfresco-6bfdbdcc47-8pbb5_logs/access-2020-**.log"
type => "access-log"
sincedb_path => "/usr/share/logstash/data/sincedb/.sincedb"
}
}
Thanks for your time