Error initializing processors

BeerRider · September 4, 2017, 6:37am

Hello.
I'm trying to make filebeat send logs excluding some messages.

Config:

filebeat.prospectors:
    - input_type: log
      document_type: exchange
      paths:
       - d:\Program Files\Exchange Server 2013\TransportRoles\Logs\MessageTracking\MSGTRK*.LOG
      ignore_older: 336h

processors:
  - drop_event:
    when:
      regexp:
        message: 'MicrosoftExchange.+@kirmarket\.ru'

output:
  logstash:
    hosts: ["logs:5044"]

On start i get error:

Exiting: error initializing processors: each processor needs to have exactly one action, but found 2 actions

What is wrong? Where is the 2nd action?

Christian_Dahlqvist · September 4, 2017, 8:51am

Yaml files are sensitive to indentation, and based on the formatting it seems all configuration lines may not be properly aligned.

BeerRider · September 4, 2017, 10:51am

Yeah.
Looks like indentation in yaml is kinda tricky.
This works:

processors:
   - drop_event:
      when:
         regexp:
            message: 'MicrosoftExchange.+@kirmarket\.ru'

Each line is indented by 3 spaces x (number of line - 1).

Also found better solution for initial problem:

filebeat.prospectors:
  - input_type: log
    document_type: exchange
    paths:
      - d:\Program Files\Exchange Server 2013\TransportRoles\Logs\MessageTracking\MSGTRK*.LOG
    ignore_older: 336h
    exclude_lines: ['MicrosoftExchange.+@kirmarket\.ru','HealthMailbox.+@kirmarket\.ru']    <==== this

steffens · September 4, 2017, 1:37pm

exclude_lines is definitely better suited. Anyways, one can reduce indentation somewhat (we indent by 2 spaces):

processors:
- drop_event:
    when.regexp.message: 'MicrosoftExchange.+@kirmarket\.ru'

BeerRider · September 6, 2017, 4:23am

Thank you.

PS:
I used your example. Results:
2 spaced indentation: same error.
3+ spaced indentation: all works correctly.

Is this a bug or intended behavior?

steffens · September 6, 2017, 11:39am

Hm.... I'm always using 2 spaces and never have had any problems. You sure you don't have any tabs in your file by accident?

BeerRider · September 7, 2017, 5:03am

Yes, sure. Only 2 spaces in front of "when". Not working.

processors:
- drop_event:
  when.regexp.message: 'MicrosoftExchange.+@kirmarket\.ru'

In other parts of config file 2-spaced indentations works fine.

filebeat.prospectors:
  - input_type: log
    document_type: exchange
    paths:
      - d:\Program Files\Exchange Server 2013\TransportRoles\Logs\MessageTracking\MSGTRK2*.LOG
    ignore_older: 336h
    exclude_lines: ['MicrosoftExchange.+@kirmarket\.ru','HealthMailbox.+@kirmarket\.ru','postmaster@kirmarket\.ru']
    close_inactive: 2h

processors:
- drop_event:
  when.regexp.message: 'MicrosoftExchange.+@kirmarket\.ru'

output:
  logstash:
    hosts: ["logs:5044"]

Also, filebeat version is filebeat-5.5.0-windows-x86_64

steffens · September 7, 2017, 11:06am

Oh, I see. Well, the when-clause must be indented within the drop_event namespace. Check my sample, I did use 4 spaces on the when-clause.

BeerRider · September 8, 2017, 9:18am

OK, I get it... I guess.
Thank you for help.

system · October 6, 2017, 9:18am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.