janmg
commented
4 years ago I admit, it's not clear at all. But the way the plugin at the startup lists all files and compares them with the registry of files that have already been processed. The default is to resume where the registry left off. So if you shutdown logstash one hour, it would only process that hour.
registry_create_policy, :validate => ['resume','start_over','start_fresh']
As alternative for the configuration "registry_create_policy" is that you can "start_over" processing all the files and recreate the registry. Or what you actually want "start_fresh", that assumes all the previous files exist, but processing is skipped.
The registry is a file on the storage_account that contains the file path, the bytes that have been processed and the file size in bytes. What the registry_create_policy does is set the processed bytes to the filesize so effectively skipping the file, unless it grows.
You can set the value initially to start_fresh, run the pipeline so that the registry is created and then change the config to resume, or remove the config because resume is the default.
blacs30
I'm readings logs from AKS. The container contains already logs from previous months and multiple different clusters. The plugin seems to read the earliest available logs. However I'd like to start with the latest and ignore all other logs from before x days or exclude a prefix.
For testing purposes I've added now a prefix but I don't want to change this each month. And I also don't want to create multiple inputs based on cluster in my case.
resourceId= / SUBSCRIPTIONS /12345 / RESOURCEGROUPS / RGAKSXYZ / PROVIDERS / MICROSOFT.CONTAINERSERVICE / MANAGEDCLUSTERS / CLUSTER1 / y=2020 / m=05Is there already a solution to this which I've overlooked?