Custom filter in ruby?

Nikolas1306 · September 30, 2022, 2:02pm

hello i've used this config but have error when executed

filter {

ruby {

        code => '
              if event.get("message").include? ' INFO '
                  event.cancel
              end
                '
      
  }

}

error:

252][INFO ][logstash.agent ] Successfully started Logstash API endpoint {:port=>9600, :ssl_enabled=>false}

[2022-09-30T14:03:36,745][ERROR][logstash.agent ] Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of [ \\t\\r\\n], \"#\", \"=>\" at line 17, column 56 (byte 312) after filter {\r\n \r\n ruby {\r\n \r\n code => '\r\n\t if event.get(\"message\").include? ' INFO ", :backtrace=>["/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:32:in compile_imperative'", "org/logstash/execution/AbstractPipelineExt.java:187:in initialize'", "org/logstash/execution/JavaBasePipelineExt.java:72:in initialize'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:47:in initialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline_action/create.rb:52:in execute'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:383:in block in converge_state'"]}

[2022-09-30T14:03:37,149][INFO ][org.reflections.Reflections] Reflections took 120 ms to scan 1 urls, producing 119 keys and 417 values

[2022-09-30T14:03:37,689][WARN ]

leandrojmp · September 30, 2022, 3:00pm

Your quotes are being mixed up, you open the code block with a single quote, so you need to close it with another single quote.

Since you have a single quote after include? it is closing the block, you can't use single quotes inside a single quoted block.

Try to use double quotes instead.

Also, you do not need any ruby code to do that comparison.

This would be easier:

if "INFO" in [message] {
    drop {}
}

Nikolas1306 · September 30, 2022, 3:49pm

yes very good the problem is multiline i' ve used in 1 line and it's ok

code => "event.cancel if not event.get('message').include? 'ERROR' "

system · October 28, 2022, 3:50pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash Ruby filter error Logstash	10	2836	August 15, 2018
Simple ruby filter failing Logstash	2	467	March 27, 2018
Logstash 6.4.1 Conditional Filter Problem Logstash	3	381	November 25, 2018
Syntax error with filter Logstash	4	393	August 22, 2019
Logstash configuration file error filtering Logstash	6	1214	February 27, 2019

Custom filter in ruby?

Related topics