无法使用logstash版本2.3.2重新处理日志文件 [英] Unable to re-process the log file using logstash version 2.3.2

问题描述

我已经使用logstash处理了一个文件，并将其推送到弹性搜索工作。但是，我必须对logstash conf文件进行一些更改，并且需要再次处理日志文件。我删除了es上的索引并重新启动了logstash。我没有看到弹性搜索中的数据，看起来文件没有被处理。

I have processed a file using logstash and pushed it to elasticsearch it work. However, I had to make some changes to the logstash conf file and need to process the log file again. I deleted the index on es and restarted the logstash. I dont see the data in elasticsearch, it looks like the file is not being processed.

1. I am using logstash version 2.3.2
2. I deleted _sincedb file, restarted logstash, no log
3. I checked the conf file syntax via --configcheck and it is ok.

任何想法我在这里缺少什么？

Any ideas what I am missing here?

我看不到任何索引创建，es中没有数据。我尝试了这些步骤多次。

I dont see any index created, no data in es. I tried these steps multiple times.

推荐答案

Logstash很聪明，可以记住，直到哪一行已经处理了你所拥有的每个文件给他并将该光标存储在sincedb文件中。

Logstash is smart enough to remember until which line it has already processed each file you've given him and stores that cursor in a sincedb file.

因此，除了路径设置外，您还需要在文件输入，确保每次运行时重新处理该文件：

So, in addition to the path setting, you need to specify two more parameters in your file input that will make sure that the file is re-processed on each run:

file {
    path => "/path/to/file"
    start_position => "beginning"
    sincedb_path => "/dev/null"
}

这篇关于无法使用logstash版本2.3.2重新处理日志文件的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！