如何强制Logstash重新排列文件？ [英] How to force Logstash to reparse a file?

问题描述

我安装了Logstash来解析apache文件。我花了很多时间才能正确设置设置，我总是尝试使用真实的日志。我注意到（如文档所说），logstash记住文件在哪里。现在我的设置好了，我想让Logstash忘记。这似乎比我更难。我已经做了以下工作：

I installed Logstash to parse apache files. It took me quite q while to get the settings right and I always tried on real logs. I noticed (as the documentation says) that logstash "remembers" where it was in a file. Now my setings are Ok and I would like Logstash to "forget". This seems harder than I though. I already did the following:

• used： start_position => 开始

从弹性搜索中删除完整的数据文件夹（并先停止）

deleted the complete "data" folder from elastissearch (and stopped it first)

查看由logstash打开的文件，其中包含 lsof -p PID 并删除了所有有希望的内容（在我的情况下 /tmp/jffi*.tmp ）

looked at which files where opened by logstash with lsof -p PID and deleted everything which was promising (in my case /tmp/jffi*.tmp)

Still Logstash不会忘记并且只解析日志文件夹中的新鲜文件

Still Logstash does not forget and parse only "fresh" files in the folder where the logs are

任何想法？

推荐答案

默认情况下，logstash写入的位置是最后一个日志文件，通常位于$ code> $ HOME / .sincedb 中。 Logstash可以被愚弄，认为它从未通过将 / dev / null 指定为 sincedb_path 来解析日志文件。

By default logstash writes the position is last was on to a logfile which usually resides in $HOME/.sincedb. Logstash can be fooled into believing it never parsed the logfile by specifying /dev/null as sincedb_path.

这里的一部分文档输入文件。

从哪里写入数据库（跟踪当前位置
的监控日志文件）。默认为环境变量
$ SINCEDB_PATH或$ HOME / .sincedb的值。

Where to write the since database (keeps track of the current position of monitored log files). Defaults to the value of environment variable "$SINCEDB_PATH" or "$HOME/.sincedb".

配置示例

input {
    file {
        path => "/tmp/logfile_to_analyse"
        start_position => "beginning"
        sincedb_path => "/dev/null"
    }
}

这篇关于如何强制Logstash重新排列文件？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！