让Logstash每次都从头读文件及常见问题
input {
file {
path => ["/data/test.log"]
start_position => "beginning"
sincedb_path => "/dev/null"
}
}
output {
stdout {
codec => rubydebug
}
}
要点就在这行 sincedb_path => “/dev/null” 了!该参数用来指定 sincedb 文件名,但是如果我们设置为 /dev/null这个 Linux 系统上特殊的空洞文件,那么 logstash 每次重启进程的时候,尝试读取 sincedb 内容,都只会读到空白内容,也就会理解成之前没有过运行记录,自然就从初始位置开始读取了!
ES报错Result window is too large问题处理:
我在使用Elasticsearch进行search查询的过程中,出现了Result window is too large
问题。
这里简单做一个报错复现:
In [1]: import requests In [2]: requests.get('http://127.0.0.1:9200/cmdb-now/_search?page=1&size=10000000').json() Out[2]: {u'error': {u'failed_shards': [{u'index': u'cmdb-now', u'node': u'ldeZMZRAR6uZpAiIr5QxBQ', u'reason': {u'reason': u'Result window is too large, from + size must be less than or equal to: [10000] but was [10000000]. See the scroll api for a more efficient way to request large data sets. This limit can be set by changing the [index.max_result_window] index level parameter.', u'type': u'query_phase_execution_exception'}, u'shard': 0}], u'grouped': True, u'phase': u'query', u'reason': u'all shards failed', u'root_cause': [{u'reason': u'Result window is too large, from + size must be less than or equal to: [10000] but was [10000000]. See the scroll api for a more efficient way to request large data sets. This limit can be set by changing the [index.max_result_window] index level parameter.', u'type': u'query_phase_execution_exception'}], u'type': u'search_phase_execution_exception'}, u'status': 500}
从上面的报错信息,可以看到ES提示我结果窗口太大了,目前最大值为10000,而我却要求给我10000000。并且在后面也提到了要求我修改index.max_result_window
参数来增大结果窗口大小。
我google了修改方法,命令如下:
curl -XPUT http://10.75.8.167:9200/logstash-sql-2017.*/_settings -d '{ "index" : { "max_result_window" : 100000000}}'