Add logstash custom pattern error

Tr_ng_Trang · November 9, 2016, 7:54am

hi all,
i am beginner with logstash, i have a question about custom pattern for logstash.
I want to define new pattern for file_type like this:
DEFGH (?:asd?|bat|chm|cmd|com|dll|do|exe|hlp|hta|js|jse|lnk|ocx|pif|reg|scr|shb|shm|shs|vbe|vbs|vbx|vxd|wsf|wsh|xl?)
for word is bat or chm or com ....
i test success when test in grokconstructor page like this :

but when setup in on logstash like file:
input {
beats {
port => 5044
}
}
filter {
grok {
patterns_dir => "/etc/logstash/conf.d/patterns"
match => {
"message" => ["%{WORD:amavis_action} %{WORD:amavis_category} (.%{DEFGH:file_type},%{DATA:a})"]}
}
}
output {
elasticsearch { hosts => ["localhost:9200"] }
stdout { codec => rubydebug }
}
and file patterns like above it error, anyone help me pls,
thank you.

magnusbaeck · November 9, 2016, 8:00am

Please show the full error message.

Tr_ng_Trang · November 9, 2016, 8:03am

[2016-11-08T23:21:50,550][ERROR][logstash.agent ] fetched an invalid config {:config=>"input {\n beats {\n port => 5044\n }\n}\nfilter {\n grok {\n\tpatterns_dir => {"/etc/logstash/conf.d/patterns"}\n\tmatch => { \t\n\t"message" => ["%{WORD:amavis_action} %{WORD:amavis_category} \(.%{DEFGH:file_type},%{DATA:a}\)",\n\t"%{WORD:amavis_action} %{WORD:amavis_category} \(%{DATA:a},.%{DEFGH:file_type},%{DATA:b}\)"\n\t\t]}\n }\n}\noutput {\n elasticsearch { hosts => ["localhost:9200"] }\n stdout { codec => rubydebug }\n}\n\n\nDEFGH (?:asd?|bat|chm|cmd|com|dll|do|exe|hlp|hta|js|jse|lnk|ocx|pif|reg|scr|shb|shm|shs|vbe|vbs|vbx|vxd|wsf|wsh|xl?)\n\n", :reason=>"Expected one of #, => at line 8, column 50 (byte 109) after filter {\n grok {\n\tpatterns_dir => {"/etc/logstash/conf.d/patterns""}
thanksyou for reply, its error log, i don't know why pattern line add to end of file and say error,

magnusbaeck · November 9, 2016, 8:04am

There's a brace missing; you're not closing your filter block before output starts.

Tr_ng_Trang · November 9, 2016, 8:15am

i dont know, i think its problem but i check it again so brace is enough,
can you show me exactly problem, i can't see problem.
or you can copy my file cfg you fix it for me in reply , thanks you very much

magnusbaeck · November 9, 2016, 8:33am

You need an extra } before output. Over and out.

Tr_ng_Trang · November 9, 2016, 9:02am

sry but its'still error when i add } before output, error message is same wih i post before.
Can you give me a example about use patter direct not use pattern_dir ?, i think it can make me check ez

Tr_ng_Trang · November 10, 2016, 3:44am

can u response me soon, i really need to resolve problem :((

system · December 8, 2016, 3:44am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
What Would be the filetype for our custom patterns in ./pattern directory Logstash	9	4225	July 14, 2017
How to make a custom grok filter Logstash	12	3152	March 21, 2018
Custom GROK Patterns not work Logstash	5	11617	May 22, 2017
Logstash Custom Patterns is not not working Logstash	1	302	January 15, 2019
Custom Pattern is not working in Logstash Logstash	3	365	March 26, 2018

Add logstash custom pattern error

Related topics