Error: Expected one of #, {, ,, ]

marcelo · June 29, 2018, 3:12am

I noticed that over time my logstash stops receiving information from my filebeats, analyzing the log I am getting this error message:

[2018-06-28T23:55:46,344][ERROR][logstash.agent ] Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of #, ", ', -, [, { at line 15, column 27 (byte 754) after filter {\n if "PJE-PROFILER" in [tags] {\n grok {\n match => { "message" => '^%{DATA:PROFILER_uuid};%{WORD:PROFILER_request_status};%{WORD:PROFILER_method};%{URI:PROFILER_url};%{WORD:PROFILER_year};%{WORD:PROFILER_\nmonth};%{WORD:PROFILER_day};%{WORD:PROFILER_hour};%{WORD:PROFILER_minute};%{WORD:PROFILER_second};%{WORD:PROFILER_millisecond};(?:%{INT:PROFILER_Nao_sei});(?:%{INT:PROF\nILER_elapsed_time_request}|);%{IPV4:clientip};%{DATA:PROFILER_thread};%{DATA:PROFILER_session};%{DATA:PROFILER_session_id};%{DATA:PROFILER_user_id};%{DATA:PROFILER_user\n_name};%{DATA:PROFILER_profile};%{DATA:PROFILER_agent};'}\n }\n if "tjpe.gov.br" in [beat][hostname] {\n mutate {\n add_field => {\n "NODE_UNION" => ", :backtrace=>["/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:42:in compile_imperative'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:50:incompile_graph'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:12:in block in compile_sources'", "org/jruby/RubyArray.java:2486:inmap'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:11:in compile_sources'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:49:ininitialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:167:in initialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline_action/create.rb:40:inexecute'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:305:in `block in converge_state'"]}

My file:

input { 
  stdin { }
}
filter {
  if "PJE-PROFILER" in [tags] {
    grok {
      match => { "message" => '^%{DATA:PROFILER_uuid};%{WORD:PROFILER_request_status};%{WORD:PROFILER_method};%{URI:PROFILER_url};%{WORD:PROFILER_year};%{WORD:PROFILER_month};%{WORD:PROFILER_day};%{WORD:PROFILER_hour};%{WORD:PROFILER_minute};%{WORD:PROFILER_second};%{WORD:PROFILER_millisecond};(?:%{INT:PROFILER_Nao_sei});(?:%{INT:PROFILER_elapsed_time_request}|);%{IPV4:clientip};%{DATA:PROFILER_thread};%{DATA:PROFILER_session};%{DATA:PROFILER_session_id};%{DATA:PROFILER_user_id};%{DATA:PROFILER_user_name};%{DATA:PROFILER_profile};%{DATA:PROFILER_agent};'}
    }
    if "mydomain" in [beat][hostname]{
      mutate {
        add_field => {
          "NODE_UNION" => %{[beat][hostname]}
        }
      }
      mutate {
        gsub => [
          "NODE_UNION", ".mydomain", ""
        ]
      }
    }
    mutate {
      add_field => {
        "timestamp" => "%{PROFILER_day}/%{PROFILER_month}/%{PROFILER_year}:%{PROFILER_hour}:%{PROFILER_minute}:%{PROFILER_second}.%{PROFILER_millisecond} -0300"
      }
      remove_field => ["message" ,"PROFILER_Nao_sei", "clientip"]
    }
    date {
      match => [ "timestamp", "dd/MM/YYYY:HH:mm:ss.SSS Z" ]
    }
  }
}
output {
  elasticsearch {
    hosts => [
      "localhost:9200"
    ]
  }
  stdout {
    codec => rubydebug
  }
}

i cant identify where is the problem.

magnusbaeck · June 29, 2018, 6:23am

     "NODE_UNION" => %{[beat][hostname]}

Have you tried quoting the string?

      "NODE_UNION" => "%{[beat][hostname]}"

marcelo · June 29, 2018, 7:57am

yes, not working.

I change to :
if "nameofmyserver.mydomain" in [beat][hostname]{
mutate {
add_field => {
"NODE_UNION" => "nameofmyserver"
}
}
}

system · July 27, 2018, 7:57am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.