S3 input plugin. Parse again an S3 bucket

Adrien_Bigot · August 8, 2019, 10:15am

Hello,

I have an S3 bucket filled with kinesis logs.
I want to re scan entirely this bucket but I didn't manage to do it.

I've tried to delete the sincedb file ( /var/lib/logstash/plugins/inputs/s3/sincedb_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx), but after restarting logstash, it regenerate it, start re rescan from the first file found in S3 bucket (2 weeks ago) BUT it only send to elasticsearch logs starting from the current date/time.

Can anyone tell me why logstash don't send to ES old logs but only logs from its starting time ?

Thank you !

Adrien

Badger · August 8, 2019, 12:05pm

Was logstash running when you deleted the sincedb? If so, it will have persisted the in-memory sincedb when it shut down. Shut logstash down before you remove the sincedb.

Adrien_Bigot · August 14, 2019, 1:15pm

Hi,

Yes logstash is stopped when I remoce the sinceDB.

I stop Logstash
I remove sincedb
I start logstash.

If I watch my sinceDB file when logstash just recreate it, I can see that it parse all the S3 logs . But the problem is that logstash send to elasticsearch ONLY logs from the date/time at which it was started.

Thanks

Adrien

Topic		Replies	Views
Tell Logstash to ignore old files in s3 bucket Logstash	3	1685	May 4, 2020
Logstash S3 Input - How does it know where to start? Logstash	2	1616	May 8, 2018
Provided sincedb file is ignored Logstash	2	50	September 20, 2024
Logstash-s3-plugin not importing data or creating sincedb file Logstash	2	2173	December 12, 2018
Logstash s3 input reads file multiple times Logstash	1	239	July 21, 2023

S3 input plugin. Parse again an S3 bucket

Related topics