Logstash is running.
How long takes it from adding a single line to a log file until Logstash recognize the new line and start to transform and output it.
With a simple BASH script I measure from 99 msec up to 800 msec including a transformation. It’s clear that the latency depends on the Logstash transformation, HD, OS and the CPU. But how recognize Logstash the file change? Is there an internal timer? Pulls logstash from file?
Advertisement
Answer
Logstash’s file input polls the files being watched at the interval set in the stat_interval
parameter, which currently (Logstash 1.5) defaults to 1, i.e. every second.
In other words, assuming that
- Logstash isn’t behind on the reading any of the log files monitored by a particular file input and
- the Logstash process isn’t CPU-starved (it usually runs at priority 19 so heavy CPU usage by other processes could cause scheduling delays),
new events will on average get picked up within 500 ms and in the worst case within 1000 ms.