Using wildcard character in logstash input

Hi,

I am using logstash 2.1 in Windows Server 2008 R2 OS. (Version Corrected)
I have some log files at some another server, and I am taking them as input for my logstash.

Shared Path : \\MIB030065\share2\Statoil-logs\Sharepoint/ST-W2284-20170607-0841.log

Now if I writing below in config file, it's discovering the changes (happening real time) in the same file.
input{
file{
type => "logs"
path => [ "\\MIB030065\share2\Statoil-logs\Sharepoint/ST-W2284-20170607.log" ]*
codec => multiline {
negate => true
pattern => "(^%{DATESTAMP})"
what => "previous"
charset => "UTF-8"
}
}
}

When I writing below, logstash is not able to discover that file or may be changes in that file.
input{
file{
type => "logs"
path => [ "\\MIB030065\share2\Statoil-logs\Sharepoint/ST-W2284.log" ]*
codec => multiline {
negate => true
pattern => "(^%{DATESTAMP})"
what => "previous"
charset => "UTF-8"
}
}
}

even below are not working.
path => [ "\\MIB030065\share2\Statoil-logs\Sharepoint/*.log" ]
path => [ "\\MIB030065\share2\Statoil-logs\Sharepoint/." ]
path => [ "\\MIB030065\share2\Statoil-logs\Sharepoint/*" ]

If anyone can help or come up with a workaround, I'd appreciate it.

Thanks,
Jigar Jarsania

I'd try using forward slashes instead of backslashes. I'd also be consistent about using the same kind of slashes everywhere in the filename pattern. Apart from that I don't know what's up.

If I'd use forward slashes too, then also it's not working. That's why I want to generate file name dynamically.
Is there any way to get sysdate there and I can make file name using the sysdate dynamically.?

like,
//MIB030065/share2/Statoil-logs/Sharepoint/ST-W2284-*.log

Do you expect new files to be read from the beginning or just tailed for new input? In the former case, make sure you have start_position => "beginning" in your file input.

To debug this further, let's establish whether the problem really is the file globbing. Bump up the log level and look for "discover" or "glob" in the Logstash log file. There should be a line logged every few seconds that indicates what the filename pattern expands to.

Hi Magnus,

Sorry for wrong info. It was a typo by me. The OS is Windows Server 2008 R2.

Logstash 5.0 (or 2.4 or 2.1) is not working properly with the remote logs from Windows Server 2008 OS
through logstash WINDOWS Service only.

I'm facing above wildcard issue too in the same setup.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.