Unable to Read from File in Windows

JamesRenaud · June 16, 2015, 8:11pm

Hey all,

I'm at a bit of a loss on this one after spending a couple hours on Google and checking through about a dozen articles I'm still not getting this resolved.

I have a flat *.log file that I'm trying to read from, my config file is:

input
{
stdin
{

}
file
{
	path => "C:/Program Files (x86)/Mitel/MiContact Center/Logs/MaintenanceAlarmDispatcher.log"
	start_position => "beginning"
}

}
filter
{
grok
{
match => ["message", "%{LOGLEVEL:level}:%{SPACE}(?\d{4}-\w{3}-\d{2}\s\d{2}:\d{2}:\d{2}.\d{3})%{SPACE}%{GREEDYDATA:log_line}"]
tag_on_failure => [ '' ]
}
date
{
match => ["timestamp", "YYYY-MMM-dd HH:mm:ss.SSS"]
}
}
output
{
elasticsearch
{
host => localhost
port => 9301
}
stdout
{

}

Now, if I paste in a log line manually through the console it comes through into elastic ok - so I know my grok matching is good, which means something is wrong with the file input.

Any ideas on where to go from here?

chaitanyavvs · June 16, 2015, 8:19pm

Hi James,
If the log file is a static file (old log file) , then the configuration start_position => "beginning" to the file input plugin. The file input plugin reads only from the end of the file, adding the above config would read from start.

The only drawback i noticed is that, if the log is live log (as data gets appended to the log), adding the config (after deleting the .sincedb file) will re-scan the entire log file from beginning.

Thanks and Regards,
Chaitanya Varanasi

JamesRenaud · June 16, 2015, 8:27pm

Looks like I had some .sincedb files created before my GROK was solid, deleted those and now I've got it parsing the file nicely.

Thanks!