I have a tool that we slurp up the files to Humio and FileBeat works perfectly if I delete the file before the task runs, but we would like not to delete the file so we don't get all the lines every hour, just the new lines.
We are using the config below and it is working for releasing the handle so our tool runs and creates the file, but does not seem to check in or update on the hour when the file is updated if I don't delete the file.
So any hints would be great. Latest version in Windows 64 FileBeat
Filebeat is supposed to tail files. Todo so, it keeps the last known offsets in the registry file. If filebeat finds a file is being updated (new file size), it will reopen the file and continue reading from the last known position.
Filebeat actively scans for file updates. The interval is configured by scan_interval. The time a scan starts depends on the starting time of filebeat. Scans are not rounded to the hour/minute.
I was looking more for other option. We do not keep the file open, so FileBeat creates a handle and then an hour later when our tool runs it can't write tot he file... breaking the process.
The above config is how we got around it.
But wondering if there were other option combos we could try.
For tailing a log file one needs shared access to the file. Filebeat requires read access only. The tool blocking the write if filebeat still has the file handle open makes me assume that your tool is accessing the file in exclusive mode. See CreateFile developer docs, if FILE_SHARE_READ is not set when opening the file, the tool and/or filebeat might block each other from time to time.
If you can not modify file access mode in your tool, best workaround is setting scan_interval to a lower value (as you already did). The scan_interval will be determine potential latencies.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.