Custom filter in ruby?

hello i've used this config but have error when executed

filter {

ruby {

        code => '
              if event.get("message").include? ' INFO '
                  event.cancel
              end
                '
      
  }

}

error:

252][INFO ][logstash.agent ] Successfully started Logstash API endpoint {:port=>9600, :ssl_enabled=>false}

[2022-09-30T14:03:36,745][ERROR][logstash.agent ] Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of [ \\t\\r\\n], \"#\", \"=>\" at line 17, column 56 (byte 312) after filter {\r\n \r\n ruby {\r\n \r\n code => '\r\n\t if event.get(\"message\").include? ' INFO ", :backtrace=>["/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:32:in compile_imperative'", "org/logstash/execution/AbstractPipelineExt.java:187:in initialize'", "org/logstash/execution/JavaBasePipelineExt.java:72:in initialize'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:47:in initialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline_action/create.rb:52:in execute'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:383:in block in converge_state'"]}

[2022-09-30T14:03:37,149][INFO ][org.reflections.Reflections] Reflections took 120 ms to scan 1 urls, producing 119 keys and 417 values

[2022-09-30T14:03:37,689][WARN ]

Your quotes are being mixed up, you open the code block with a single quote, so you need to close it with another single quote.

Since you have a single quote after include? it is closing the block, you can't use single quotes inside a single quoted block.

Try to use double quotes instead.

Also, you do not need any ruby code to do that comparison.

This would be easier:

if "INFO" in [message] {
    drop {}
}

yes very good the problem is multiline i' ve used in 1 line and it's ok

code => "event.cancel if not event.get('message').include? 'ERROR' "

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.