如何强制 Logstash 重新解析文件? [英] How to force Logstash to reparse a file?

问题描述

我安装了 Logstash 来解析 apache 文件.我花了很长时间才使设置正确，而且我总是尝试使用真实日志.我注意到(如文档所述)logstash记住"了它在文件中的位置.现在我的设置正常，我希望 Logstash忘记".这似乎比我更难.我已经做了以下事情:

I installed Logstash to parse apache files. It took me quite q while to get the settings right and I always tried on real logs. I noticed (as the documentation says) that logstash "remembers" where it was in a file. Now my setings are Ok and I would like Logstash to "forget". This seems harder than I though. I already did the following:

• 使用:start_position =>开始"

从 elastissearch 中删除了完整的data"文件夹(并先停止了它)

deleted the complete "data" folder from elastissearch (and stopped it first)

使用 lsof -p PID 查看由 logstash 打开的文件，并删除了所有有希望的文件(在我的情况下为 /tmp/jffi*.tmp)

looked at which files where opened by logstash with lsof -p PID and deleted everything which was promising (in my case /tmp/jffi*.tmp)

仍然Logstash不会忘记并仅解析日志所在文件夹中的新鲜"文件

Still Logstash does not forget and parse only "fresh" files in the folder where the logs are

有什么想法吗?

推荐答案

默认情况下，logstash 将最后一个位置写入到通常位于 $HOME/.sincedb 的日志文件中.通过将 /dev/null 指定为 sincedb_path，可以让 Logstash 相信它从未解析过日志文件.

By default logstash writes the position is last was on to a logfile which usually resides in $HOME/.sincedb. Logstash can be fooled into believing it never parsed the logfile by specifying /dev/null as sincedb_path.

这里是文档的一部分输入文件.

从哪里写入since数据库(跟踪当前位置受监控的日志文件).默认为环境变量的值$SINCEDB_PATH"或$HOME/.sincedb".

Where to write the since database (keeps track of the current position of monitored log files). Defaults to the value of environment variable "$SINCEDB_PATH" or "$HOME/.sincedb".

配置示例

input {
    file {
        path => "/tmp/logfile_to_analyse"
        start_position => "beginning"
        sincedb_path => "/dev/null"
    }
}

这篇关于如何强制 Logstash 重新解析文件?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！