Config Error : configuration is invalid. Reason: Expected one of #, =>

Elastic Stack Logstash
1

Here is my logstash configuration

filter {
grok {
	match => {
		"message" => { '%{DATA:req_id} %{IPV4:host} %{DATA:machine_name} %{DATA:location} %{DATA:zuid} %{DATA:zoid} %{DATA:thread_id} %{DATA:class_name} %{DATA:method} %{DATA:level} %{DATA:timestamp} %{DATA:zl_thread_id} %{DATA:message}' }
	}
}
date {
	match => [ "timestamp" , "dd-MM-yyyy HH:mm:ss Z" ]
}
mutate {
remove_field => ["@version" ,"req_id" ,"host" ,"machine_name" ,"location" ,"zuid" ,"zoid" ,"zl_thread_id"] } }

Error Message
[2019-06-02T23:35:21,738][FATAL][logstash.runner ] The given configuration is invalid. Reason: Expected one of #, => at line 10, column 234 (byte 367) after filter {
grok {
match => {
"message" => { '%{DATA:req_id} %{IPV4:host} %{DATA:machine_name} %{DATA:location} %{DATA:zuid} %{DATA:zoid} %{DATA:thread_id} %{DATA:class_name} %{DATA:method} %{DATA:level} %{DATA:timestamp} %{DATA:zl_thread_id} %{DATA:message}'
[2019-06-02T23:35:21,752][ERROR][org.logstash.Logstash ] java.lang.IllegalStateException: Logstash stopped processing because of an error: (SystemExit) exit

1 Like
2

The message parameter in the grok filter should be a string or a list of strings, so you should not have any curly braces there.

3

grok {
match => {
"message" => "%{DATA:req_id} %{IPV4:host} %{DATA:machine_name} %{DATA:location} %{DATA:zuid} %{DATA:zoid} %{DATA:thread_id} %{DATA:class_name} %{DATA:method} %{DATA:level} %{DATA:timestamp} %{DATA:zl_thread_id} %{DATA:message}"
}
}

4

You still have curly braces. Look at the examples in the documentation.

1 Like
5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.