Expected one of \"\\\\'\", any character, \"'\"

ghl1l0 · February 27, 2020, 1:49pm

hello elastic community i need your help, i got this error when i have add the function rename on mutate
this is the full logs error :
[ERROR][logstash.agent ] Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of "\\'", any character, "'" at line 42, column 1 (byte 1168) after input {\n udp {\n host => '...'\n port => 1514\n type => ''\n }\n tcp {\n host => '...'\n port => 1514\n type => 'relpsos\n }\n}\n\noutput{\n elasticsearch{\n hosts => ["https://:9200","https://:9200","https://:9200"]\n manage_template => false\n index => "*"\n document_type => "%{[@metadata][type]}"\n cacert => "/etc/logstash/certs/ca.crt"\n user => ""\n password => ""\n }\n stdout{\n codec => rubydebug\n }\n}\n\nfilter {\n if[type]=="soslog"{\n grok {\n match => { "message" => "time=%{DATA:timestamp}\|action=%{WORD:action}\|orig=%{IPORHOST:origin}\|i\/f\_dir=%{WORD:direction}\|i\/f\_name=%{WORD:interface}\|has\_accounting=%{INT:accounting}\|uuid=%{DATA:uuid}\|product=%{DATA:product}\|rule=%{INT:rule}\|rule_uid=%{DATA:rule_uid}\|*src=%{IP:src_ip}\|s_port=%{INT:src_port}\|dst=%{IP:dst_ip}\|service=%{INT:dst_port}\|proto=%{WORD:protocol}" }\n add_field => [ "received_at", "%{@timestamp}" ]\n add_field => [ "received_from", "%{host}" ]\n } mutate {\n convert => ["source.ip", "integer"]\n rename => ["action", "event.action"]\n }\n kv {}\n }\n}\n", :backtrace=>["/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:41:in compile_imperative'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:49:in compile_graph'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:11:in block in compile_sources'", "org/jruby/RubyArray.java:2584:in map'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:10:in compile_sources'", "org/logstash/execution/AbstractPipelineExt.java:156:in initialize'", "org/logstash/execution/JavaBasePipelineExt.java:47:in initialize'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:27:in initialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline_action/create.rb:36:in execute'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:326:in block in converge_state'"]}

and this is the filter :

filter {
if[type]=="*"{
grok {
match => { "message" => "time=%{DATA:timestamp}|action=%{WORD:action}|orig=%{IPORHOST:origin}|i/f_dir=%{WORD:direction}|i/f_name=%{WORD:interface}|has_accounting=%{INT:accounting}|uuid=%{DATA:uuid}|product=%{DATA:product}|rule=%{INT:rule}|rule_uid=%{DATA:rule_uid}|*src=%{IP:src_ip}|s_port=%{INT:src_port}|dst=%{IP:dst_ip}|service=%{INT:dst_port}|proto=%{WORD:protocol}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
} mutate {
convert => ["source.ip", "integer"]
rename => ["action", "event.action"]
}
kv {}
}
}

i have changed sensitive data with the symbol *

ITIC · February 27, 2020, 1:56pm

Hi

Looking at your log, the culprit could be kv{}. Try commenting it out and see what you get.

I'm not sure about your mutate{} starting on the same line where you close the grok{} filter. But that might be just here, since you didn't format your code when pasting it to your post.

There's no space between your if and [type]. That might be wrong too.

Hope this helps.

ghl1l0 · February 27, 2020, 2:00pm

i have tried to delete the kv{} and to replace the mutate and also to make space between if and [type] but i got the same error wich is one the title

ITIC · February 27, 2020, 2:07pm

Hi

Your convert and rename might be wrong. They should be convert => {} and rename => {}. Check the syntax here: https://www.elastic.co/guide/en/logstash/current/plugins-filters-mutate.html

Hope this helps

ghl1l0 · February 27, 2020, 2:15pm

i tried the synthax on the link but i got the same problem too , i just wan't to precise that the convert function on mutate worked before adding the rename function

ITIC · February 28, 2020, 7:12am

Hi

I suggest you remove the rename line, without changing anything else, and see if it still works. If it does, you can be sure the problem is in that line, and you have to center your efforts there.

Try changing event.action to , say, event_action and see what happens. Of course, make sure you have a field called action in the first place.

If this doesn't help then, please, comment out your entire filter section, leave only a stdout{} plugin in your output{} section. Run it once and post the complete code and output here. Something like this:

input {
  <your input code here>
}

#filter {
#  <your filters here>
#}

output {
  stdout {}
}

Try to use proper formatting when posting to make our lives easier.

Hope this helps.

system · March 27, 2020, 7:12am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.