CRIT Exiting: No prospectors defined. What files do you want me to watch?

I am having problem with regular expression not working in filebeat 5.5

filebeat.prospectors:
- input_type: log

  paths:
    - D:\uat\beats\filebeat550\input_logs\tt_tradingserver\*

  #use regular expression
  exclude_files: ["TradingServer_.*Copy.*\.log$|TradingServer_[0-9]+Jun17.log$|TradingServer_[0-9]+Jul17.log$"]

I am excluding all logs files having Jul17, Jul17 and the word 'Copy' in its name

Below is the list of files available in the directory

TradingServer_01Aug17.log
TradingServer_01Jul17.log
TradingServer_01Jun17.log
TradingServer_02Aug17.log
TradingServer_02Jun17.log
TradingServer_03Aug17.log
TradingServer_03Jul17.log
TradingServer_04Jul17.log
TradingServer_04Jun17.log
TradingServer_05Jul17.log
TradingServer_05Jun17.log
TradingServer_06Jul17.log
TradingServer_06Jun17.log
TradingServer_07Jul17.log

But I am getting an error as

CRIT Exiting: No prospectors defined. What files do you want me to watch?

I have checked this regular expression in EditPlus as well on regular expression validation websites it is working fine there but not in FileBeats

That error doesn't indicate a problem with the regular expression. Are you sure it's the regular expression causing the error? Can you please comment out the exclude_lines and see if the error persists.

BTW We recommend that you wrap regular expressions in single quotation marks to work around YAML’s string escaping rules. (see Regular Expression Support)

1 Like

Hi,

Without exclude_files it is working and it is also working with below excludes_files

exclude_files: ["TradingServer_[0-9]+Jun17.log$|TradingServer_[0-9]+Jul17.log$"]

but when i add below expression then only i am getting error.

TradingServer_.*Copy.*\.log$|

Now it is working absolutely fine, used single quote, stopped using | pipe sign, and made each regular expression separate

exclude_files: ['TradingServer_.*Copy.*\.log$', 'TradingServer_[0-9]+Jun17.log$', 'TradingServer_[0-9]+Jul17.log$']

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.