1

Many questions have been seen here in Stackoverflow on the similar subject like this question. But none of them helped to reset Logstash. I've used:

input {
  file {
    path => ["/var/log/nginx/access.log"]
    start_position => "beginning"
  }
}

I've read that .sincedb can be set. But as I don't have these files I think it is unnecessary to set a file path for that.

Is there any other place that I could easily reset logstash? Why such a simple method is so hard to do?

EDIT1: I've also tried sincedb_path with /dev/null as this question has been said. Again it read from today not from the beginning of log file.

Community
  • 1
  • 1
Alireza
  • 6,497
  • 13
  • 59
  • 132
  • ` Again it read from today` Is there any kind of log rotation? Your problem might come from there – baudsp Jul 11 '16 at 12:24
  • @baudsp Yes I have but I also have some records from yesterday (10-07) – Alireza Jul 11 '16 at 12:34
  • What I meant is that the content from yesterday got rotated in another log file. But apparently it's not the case – baudsp Jul 11 '16 at 13:11
  • @baudsp I have log rotation in place, but inside of log file I have some records from yesterday. – Alireza Jul 12 '16 at 06:08

1 Answers1

0

You can do it by hand by modifying the .sincedb file.

According to the documentation :

Sincedb files are text files with four columns:
1. The inode number (or equivalent).
2. The major device number of the file system (or equivalent).
3. The minor device number of the file system (or equivalent).
4. The current byte offset within the file.

So if you change the last number to zero to restart the file at the beginning.

baudsp
  • 4,076
  • 1
  • 17
  • 35