Custom filter in ruby?

Nikolas1306 · September 30, 2022, 2:02pm

hello i've used this config but have error when executed

filter {

ruby {

        code => '
              if event.get("message").include? ' INFO '
                  event.cancel
              end
                '
      
  }

}

error:

252][INFO ][logstash.agent ] Successfully started Logstash API endpoint {:port=>9600, :ssl_enabled=>false}

[2022-09-30T14:03:36,745][ERROR][logstash.agent ] Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of [ \\t\\r\\n], \"#\", \"=>\" at line 17, column 56 (byte 312) after filter {\r\n \r\n ruby {\r\n \r\n code => '\r\n\t if event.get(\"message\").include? ' INFO ", :backtrace=>["/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:32:in compile_imperative'", "org/logstash/execution/AbstractPipelineExt.java:187:in initialize'", "org/logstash/execution/JavaBasePipelineExt.java:72:in initialize'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:47:in initialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline_action/create.rb:52:in execute'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:383:in block in converge_state'"]}

[2022-09-30T14:03:37,149][INFO ][org.reflections.Reflections] Reflections took 120 ms to scan 1 urls, producing 119 keys and 417 values

[2022-09-30T14:03:37,689][WARN ]

leandrojmp · September 30, 2022, 3:00pm

Your quotes are being mixed up, you open the code block with a single quote, so you need to close it with another single quote.

Since you have a single quote after include? it is closing the block, you can't use single quotes inside a single quoted block.

Try to use double quotes instead.

Also, you do not need any ruby code to do that comparison.

This would be easier:

if "INFO" in [message] {
    drop {}
}

Nikolas1306 · September 30, 2022, 3:49pm

yes very good the problem is multiline i' ve used in 1 line and it's ok

code => "event.cancel if not event.get('message').include? 'ERROR' "

system · October 28, 2022, 3:50pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash ConfigurationError - Failed to execute action Logstash	2	416	June 16, 2023
Custom Filter for remote Command Logstash	1	271	July 3, 2018
Filter individual json fields using json filters Logstash	17	1393	December 28, 2020
_rubyexception when accessing 'event' array in ruby code Logstash	3	1679	July 6, 2017
LogStash::ConfigurationError", :message=>"Expected one of [ \\t\\r\\n], \"#\", \"if\", [A-Za-z0-9_-], '\"', \"'\", \"}\" Logstash	13	5244	September 21, 2022

Custom filter in ruby?

Related Topics