Reading from first

NIloufarVafaei · June 9, 2018, 8:06am

i use logstash for reading a log file .this file store my service log ,so added some logs during a hours. the point is each time that a log add in my log file , logstash read all log file from first and send it to elasticsearch . how can i fix this config that each time send just latest log to elasticsearch?

Badger · June 9, 2018, 1:00pm

Can you show us your logstash input configuration?

Leandro_Sampaio · June 9, 2018, 2:04pm

This isn't the normal mode of work from logstash... The logstash store position read from each file and case you kill a process, the same start in correct position

praveen.vemuri · June 9, 2018, 2:37pm

Configure sincedb_path for the file input in logstash.

sincedb_path
Value type is string
There is no default value for this setting.
Path of the sincedb database file (keeps track of the current position of monitored log files) that will be written to disk. The default will write sincedb files to <path.data>/plugins/inputs/file NOTE: it must be a file path and not a directory path

NIloufarVafaei · June 10, 2018, 7:33am

input {
file {
path => "/home/adanic/alternatives.log"
type => "log"
}
}
filter {
}
output {
elasticsearch {
hosts => ["localhost:9200"]
index => "doc"
document_type => "%{type}"
}
}
it is my first config

NIloufarVafaei · June 10, 2018, 7:36am

i change my conf and set directly sincedb_path bud didn't work
hear my second conf
input {
file {
path => "/home/adanic/alternatives.log"
type => "log"
sincedb_path =>"/home/adanic/ee"
}
}
filter {
}
output {
elasticsearch {
hosts => ["localhost:9200"]
index => "doc"
document_type => "%{type}"
}
}

magnusbaeck · June 10, 2018, 6:16pm

Exactly how are you adding logs to the file? By appending to the file?

NIloufarVafaei · June 11, 2018, 4:31am

yes i append each log to end of the log file

magnusbaeck · June 11, 2018, 5:53am

How, exactly?

NIloufarVafaei · June 11, 2018, 7:29am

well ,i open log file and paste one row of log that i copied and save

magnusbaeck · June 11, 2018, 7:43am

In a text editor? Then you won't actually append to the file. The text editor will most likely create a new file, write the new data into that file, and rename it into place. To Logstash, this counts as a brand new file.

But the configuration you claim you have is inconsistent with the behavior you describe. Unless you set the file input's start_position option to "beginning" Logstash will under no circumstances read a file from the beginning (well, okay, unless the file is empty).

NIloufarVafaei · June 11, 2018, 7:47am

you mean i should set start_position => "end"?

magnusbaeck · June 11, 2018, 7:59am

No, I mean that you shouldn't use a text editor to simulate appending to a log file, because it won't actually be an append operation.

NIloufarVafaei · June 11, 2018, 8:06am

but i test it in windows and it was ok in this way of adding log.
ok i test it with system log file .this file i think use append operation for add log

system · July 9, 2018, 8:06am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.