问
文件输入不适用于logstash
会哭的鱼2602919185 发布于 2023-01-10 09:36当我使用stdin作为输入流时,我得到了正确的输出.但每当我使用该文件作为输入时,输出会在以下消息后冻结.
"Using milestone 2 input plugin 'file'. This plugin should be stable but if you see strange behavior, please let us know."
这是我的配置文件.
input {
file {
path => ["c:/users/a/b/c/logstash-1.4.1/bin/logs/logfile.log"]
start_position => beginning
}
}
filter {
grok {
patterns_dir => "./patterns"
break_on_match => "false"
match => ["message", "%{MY_DATE:my_date}"]
}
grok {
patterns_dir => "./patterns"
break_on_match => "false"
match => ["message", "%{DATE:date}"]
}
grok {
patterns_dir => "./patterns"
break_on_match => "false"
match => ["message", "%{TIME:time}"]
}
grok {
patterns_dir => "./patterns"
break_on_match => "false"
match => ["message", "%{LOG_LEVEL:log_level}"]
}
grok {
patterns_dir => "./patterns"
break_on_match => "false"
match => ["message", "%{SERVER:server}"]
}
grok {
patterns_dir => "./patterns"
break_on_match => "false"
match => ["message", "%{CLASS_NAME:class_name}"]
}
}
output {
stdout { codec => rubydebug }
elasticsearch { host => localhost }
}
我的文件路径格式是否错误?
1 个回答
-
您是否将新日志写入日志文件?
start_position选项仅修改"第一次联系"情况
a file is new and not seen before.这是因为Logstash将为每个文件保存一个sincedb,以跟踪受监视日志文件的当前位置.因此,下次重新启动Logstash时,Logstash将根据sincedb记录开始监视文件,start_position将不起作用.因此,如果要导入旧日志,则必须在启动logstash之前删除所有.sincedb文件并添加start_position选项.
2023-01-10 09:40 回答
静净精时
撰写答案
今天,你开发时遇到什么问题呢?
立即提问
京公网安备 11010802041100号