Logstash will read 3days old file

P_Kumar · August 4, 2017, 8:01pm

Is it possible to logstash5 will read 3 days old SystemOut.log file ?

magnusbaeck · August 5, 2017, 3:34pm

If configured to do so Logstash will read files with any name and any age.

P_Kumar · August 5, 2017, 5:25pm

I configure 5 files in one logstash configration but it is sending only 3 files to elastic serch and rest are not sending but it is showing in stdout .so i thought it may be file age.how we will debug this issue and who is blocking rest 2 files to send elstic search

magnusbaeck · August 5, 2017, 5:47pm

Show us your configuration.

P_Kumar · August 7, 2017, 8:38pm

input {
file {
type => "nodeagent"
path => [ "/opt/WebSphere/AppServer/profiles/AppSrv01/logs/nodeagent/SystemOut.log" ]
ignore_older => "400000000"
start_position => "beginning"
sincedb_path => "/dev/null"

    }
    file {
            type => "websphere1"
            path => [ "/opt/WebSphere/AppServer/profiles/AppSrv01/logs/App-v01/SystemOut.log" ]
            ignore_older => 4
            start_position => "beginning"
            sincedb_path => "/dev/null"
    }
    file {
            type => "app1"
            path => [ "/opt/WebSphere/AppServer/profiles/AppSrv01/logs/App1-v01/SystemOut.log" ]
            ignore_older => 4
            start_position => "beginning"
            sincedb_path => "/dev/null"
    }
    file {
            type => "app"
            path => [ "/opt/WebSphere/AppServer/profiles/AppSrv01/logs/App12Server1/SystemOut.log" ]
            ignore_older => 4
            start_position => "beginning"
            sincedb_path => "/dev/null"
    }
    file{
            type => "dmgr"
            path => [ "/opt/WebSphere/AppServer/profiles/Dmgr01/logs/dmgr/SystemOut.log" ]
            start_position => "beginning"
            ignore_older => 4
            sincedb_path => "/dev/null"

    }

}

#filter {

grok {

match => [ "message", "%{COMBINEDAPACHELOG}" ]

}

#}

output {
if [type] == "nodeagent" {
elasticsearch{
hosts => ["x.x.x.x:9200"]
index => "x.x.x.x_nodeAgent_%{+YYYY.MM.dd}"
}
}
if [type] == "websphere1" {
elasticsearch{
hosts => ["x.x.x.x:9200"]
index => "x.x.x.x_App-v01_%{+YYYY.MM.dd}"
}
}
if [type] == "app1" {
elasticsearch{
hosts => ["x.x.x.x:9200"]
index => "x.x.x.x_App1-v01_%{+YYYY.MM.dd}"
}
}
if [type] == "app" {
elasticsearch{
hosts => ["x.x.x.x:9200"]
index => "x.x.x.x_App12Server1-v01_%{+YYYY.MM.dd}"
}
}
if [type] == "dmgr" {
elasticsearch{
hosts => ["x.x.x.x:9200"]
index => "x.x.x.x_dmgr_%{+YYYY.MM.dd}"
}
}
else {
stdout{
codec => rubydebug
}
}

}

magnusbaeck · August 8, 2017, 5:22am

If you look in your Logstash logs I'm pretty sure you'll find lots of log entries telling you that it can't create the indexes because index names must be all lowercase.

P_Kumar · August 8, 2017, 6:54pm

Thanks it is working now.

system · September 5, 2017, 6:55pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.