How to force Logstash to reparse a file?
|
6:23 AM |
No comments |
How to force Logstash to reparse a file?
I installed Logstash to parse apache files. It took me quite q while to get the settings right and I always tried on real logs. I noticed (as the documentation says) that logstash "remembers" where it was in a file. Now my setings are Ok and I would like Logstash to "forget". This seems harder than I though. I already did the following:
used:
start_position => "beginning"deleted the complete "data" folder from elastissearch (and stopped it first)
looked at which files where opened by logstash with
lsof -p PIDand deleted everything which was promising (in my case/tmp/jffi*.tmp)
Still Logstash does not forget and parse only "fresh" files in the folder where the logs are
Any ideas?
Answer by yesnault for How to force Logstash to reparse a file?
The plugin file store history of "tailing" in sincedb file, default : under $HOME/.sincedb* , see http://logstash.net/docs/1.3.3/inputs/file#sincedb_path
The since db file contains line look like :
[inode] [major device number] [minor device number] [byte offset] So, if you want to parse again a complete file, you need to :
- delete sindedb files
- OR only delete the corresponding line in sincedb file, check the inode number before of your file (
ls -i yourFile | awk '{print $1}') - And restart Logstash
With the key start_position => "beginning, Logstash will analyze all the file.
Example of a sincedb file :
- name : .sincedb_7a7413a84171aa550d5318c17fd756e9 : the name contains sincedb_ and a MD5 (Digest::MD5.hexdigest) of all directory in key path (http://logstash.net/docs/1.3.3/inputs/file#path). See code of plugin File : https://github.com/logstash/logstash/blob/master/lib/logstash/inputs/file.rb#L105
Answer by Ben Lim for How to force Logstash to reparse a file?
Logstash will keep the record in $HOME/.sincedb_* . You can delete all the .sincedb and restart logstash, Logstash will reparse the file.
Answer by flazzarini for How to force Logstash to reparse a file?
By default logstash writes the position is last was on to a logfile which usually resides in
$HOME/.sincedb. Logstash can be fooled into believing it never parsed the logfile by specifying /dev/null as sincedb_path. Here the part of the documentation Input File.
Where to write the since database (keeps track of the current position of monitored log files). Defaults to the value of environment variable "$SINCEDB_PATH" or "$HOME/.sincedb".
Config Example
input { file { path => "/tmp/logfile_to_analyse" start_position => "beginning" sincedb_path => "/dev/null" } } Answer by Dan for How to force Logstash to reparse a file?
I found it in my home dir but after deleting it, logstash refused to re-pick the existing log files. The way I got it to work was to add
sincedb_path => "/opt/elk/sincedb/" to my file plugin. I think to reset each time, just change the path of sincedb_path
Answer by elwarren for How to force Logstash to reparse a file?
If you are using logstash-forwarder check your home for .logstash-forwarder file instead:
{ "/var/log/messages": { "source": "/var/log/messages", "offset": 43715, "inode": 12967, "device": 51776 } } Answer by Seth for How to force Logstash to reparse a file?
After deleting $HOME/.sincedb_* it still wasn't ingesting data for me.
After trying a bunch of things I removed all but the main .conf file from /etc/logstash/conf.d and restarted logstash, and everything worked. I can only assume there was something in one of the .conf files that logstash was silently hanging on.
Answer by Shubham Gupta for How to force Logstash to reparse a file?
Actually reparsing each time is very costly if the file has large data in it. So you need to be careful before doing this. If we want to force it to reparse again then set the parameter inside input block
sincedb_path => "/dev/null" This option will not be storing the .sincedb file and logstash will reparse each time. But if you want to reparse occasionaly not each time then what you can do is that delete manually the .sinceDb path which is created on parsing the file. Generally it is present in the home directory as a hidden file if you are not a root user otherwise in root directory. You can also set the sincedb_path to some other location to trace this file easily.
sincedb_path => "/home/shubham/sinceDB/productsSince.db" Answer by GreensterRox for How to force Logstash to reparse a file?
If you want to avoid messing with the logstash options I've found that renaming or removing the existing log file and creating a new file from the old file contents will trick logstash into re-indexing.
Fatal error: Call to a member function getElementsByTagName() on a non-object in D:\XAMPP INSTALLASTION\xampp\htdocs\endunpratama9i\www-stackoverflow-info-proses.php on line 72
0 comments:
Post a Comment