ConfigurationError in Logstash

SRIpandu1729 · April 17, 2018, 2:18pm

I have 2 inputs, 1 coming from file and another from filebeat from a remote server. I need to index these into elasticsearch. The output should send them to 2 different indes patterns. So I configured my logstash as follows. But whenever I am trying to run logstash it is giving me a configuration error.

LOGSTASH CONF FILE

input {
file {
	path => "/home/DATA/u_ex*.log"
	start_position => "beginning"
	sincedb_path => "/dev/null"
	type => "real"
}

beats {
	port => 5044
	type => "test"
}
}

filter {
if [message] =~ "^#" {
	drop {}
}

grok {
	match => ["message", "%{TIMESTAMP_ISO8601:log_timestamp} %{NOTSPACE:serviceName} %{NOTSPACE:serverName} %{IPORHOST:serverIP} %{NOTSPACE:method} %{URIPATH:uriStem} %{NOTSPACE:uriQuery} %{NUMBER:port} %{NOTSPACE:username} %{IPORHOST:clientIP} %{NOTSPACE:protocolVersion} %{NOTSPACE:userAgent} %{NOTSPACE:cookie} %{NOTSPACE:referer} %{NOTSPACE:requestHost} %{NUMBER:response} %{NUMBER:subresponse} %{NUMBER:win32response} %{NUMBER:bytesSent} %{NUMBER:bytesReceived} %{NUMBER:timetaken}"]
	}

date {
	match => [ "log_timestamp", "YYYY-MM-dd HH:mm:ss" ]
	timezone => "UTC"
}

useragent {
	source => "userAgent"
}

mutate {
	convert => ["bytesSent", "integer"]
	convert => ["bytesReceived", "integer"]
	convert => ["timetaken", "integer"]

	remove_field => [ "log_timestamp", "serviceName", "serverName", "serverIP", "port", "username", "protocolVersion", "requestHost", "subresponse", "win32response", "build", "os_name", "host", "major", "minor", "os_major", "os_minor", "patch", "path", "userAgent", "@version", "uriQuery", "cookie", "method"]
}
}

output {
if [type] == "real" {
	elasticsearch {
		index => "log-%{+YYYY-MM-dd}"
	}
    }
if [type] == "test" {
	elasticsearch {
		index => "beats-%{+YYYY.MM.dd}"
	}
}
}

The error given by Logstash is

[2018-04-17T13:25:27,609][INFO ][logstash.modules.scaffold] Initializing module {:module_name=>"netflow", :directory=>"/usr/share/logstash/modules/netflow/configuration"}
[2018-04-17T13:25:27,620][INFO ][logstash.modules.scaffold] Initializing module {:module_name=>"fb_apache", :directory=>"/usr/share/logstash/modules/fb_apache/configuration"}
[2018-04-17T13:25:28,682][INFO ][logstash.runner          ] Starting Logstash {"logstash.version"=>"6.2.2"}
[2018-04-17T13:25:29,030][INFO ][logstash.agent           ] Successfully started Logstash API endpoint {:port=>9600}
[2018-04-17T13:25:29,735][ERROR][logstash.agent           ] Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of #, else, if, \", ', } at line 83, column 1 (byte 2688) after output {\n\tif [type] == \"real\" {\n\t\telasticsearch {\n\t\t\tindex => \"log-%{+YYYY-MM-dd}\"\n\t\t}\n\n\tif [type] == \"test\" {\n\t\telasticsearch {\n\t\t\tindex => \"beats-%{+YYYY.MM.dd}\"\n\t\t}\n\t}\n}\n", :backtrace=>["/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:42:in `compile_imperative'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:50:in `compile_graph'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:12:in `block in compile_sources'", "org/jruby/RubyArray.java:2486:in `map'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:11:in `compile_sources'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:51:in `initialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:169:in `initialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline_action/create.rb:40:in `execute'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:315:in `block in converge_state'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:141:in `with_pipelines'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:312:in `block in converge_state'", "org/jruby/RubyArray.java:1734:in `each'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:299:in `converge_state'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:166:in `block in converge_state_and_update'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:141:in `with_pipelines'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:164:in `converge_state_and_update'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:90:in `execute'", "/usr/share/logstash/logstash-core/lib/logstash/runner.rb:348:in `block in execute'", "/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/stud-0.0.23/lib/stud/task.rb:24:in `block in initialize'"]}

It said " Expected one of #, else, if, ", ', } " but I don't quite understand why one of those is necessary. Can you please look point me what I doing wrong?

Badger · April 17, 2018, 2:33pm

You are missing a } to close out if [type] == "real" {

system · May 15, 2018, 2:35pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Log stash Configuration Error Logstash	6	20115	February 22, 2018
Where do I find proper syntax for configuring logstash? Logstash	1	234	November 3, 2020
Invalid Configuration Error Logstash	14	868	September 11, 2018
Logstash ConfigurationError Logstash	5	428	December 16, 2022
Logstash - Filter - Error message(LogStash::ConfigurationError) Logstash	2	299	August 28, 2020

ConfigurationError in Logstash

Related topics