Logstash to parse only part of apache log file

elk_dni_1 · December 20, 2018, 11:25am

Hi Guys,

I am re-indexing few ones. They are monthly.

I deleted the a month index say Oct 2018 one.

Oct Index contains data :
Oct 1st UTC - Oct 31 UTC

But my apache logs are in PST and are rotated daily. So I need to put log files from "Sep 30 5 PM PST - Oct 30 4:59 PM PST" for Oct ELK Index (UTC).

Is there a way to make logstash to parse only portion of log file instead of complete file, so that I can pass Sep 30 PST and Oct 30 PST log files and can ask logstatsh to pick from/till time specified.

Thanks

Christian_Dahlqvist · December 20, 2018, 12:03pm

No, I do not think that is possible, but you might be able to use a drop filter to avoid processing data outside a specific interval.

elk_dni_1 · December 20, 2018, 12:13pm

So what is the efficient way for my issue and also to regenerate indexes ...

elk_dni_1 · December 20, 2018, 1:38pm

Hi Christian

Is there a way to monitor how much of a log file is parsed by logstash. As during downtimes of systems, where we have to stop logstash and es running processes, are they re-runnable. I mean they will start again where they left. Please suggest how to handle ELK processing during/post downtimes.

Thanks

system · January 17, 2019, 1:38pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
@timestamp not matching date parsed, apache logs Logstash	3	2799	July 6, 2017
Default UTC timzone of @timestamp writing new data to older monthly index Logstash	8	813	April 10, 2020
Logstash Date parsing error Logstash	12	406	April 1, 2022
Parsing apache access log file and extract timestamp Logstash	2	2348	January 31, 2019
Logstash indexing all logs to the index of first log Logstash	2	291	June 24, 2019

Logstash to parse only part of apache log file

Related topics