Expected one of [ \\t\\r\\n], \"#\", \"=>\" at line

teej · September 9, 2020, 5:28pm

Hi,
I am trying to extract one alphanumeric field in an XML file but the config is not happy. I've search this one out for a while but I cannot seem to figure out what isnt right about this simple config:

input {
  file {
    path => "/tmp/test2.xml"
    sincedb_path => "/dev/null"
    start_position => "beginning"
    codec => multiline {
      pattern => "^<name=*\>"
      auto_flush_interval => 1
      negate => "true"
      what => "previous"
      max_lines => 1000000000
      max_bytes => "500 MiB"
}}}

filter {
  grok {
     match => { "message" => "%{alnum:alert_id}"
 }
}

When I run it, I get:

[Converge PipelineAction::Create] agent - Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of [ \t\r\n], "#", "=>" at line 21, column 8 (byte 448) after input

Thank you.

Badger · September 9, 2020, 6:45pm

You are missing a } to close the match => option of the grok filter.

teej · September 9, 2020, 7:05pm

I had caught that and was hoping it was that simple but nope:

        filter { grok {match=> { "message" => "%{alnum:alert_id}" }
        }}

Still gets me:

Expected one of [ \\t\\r\\n], \"#\", \"=>\" at line 17, column 8 (byte 373) after input

It now looks like:

  1 
  2 input {
  3   file {
  4     path => "/tmp/test2.xml"
  5     sincedb_path => "/dev/null"
  6     start_position => "beginning"
  7     codec => multiline {
  8       pattern => "^<name=*\>"
  9       auto_flush_interval => 1
 10       negate => "true"
 11       what => "previous"
 12       max_lines => 1000000000
 13       max_bytes => "500 MiB"
 14 }}
 15
 16 filter {
 17   grok {
 18     match => { "message" => "%{alnum:alert_id}" }
 19 }}
 20

Badger · September 9, 2020, 7:29pm

Can you add --config.debug --log.level debug --config.test_and_exit to the command line?

Note that it thinks "input" is on line 17 of the configuration, not line 2.

teej · September 11, 2020, 6:24pm

Thanks Badger. Unfortunately, the results came back essentially the same...

[FATAL] 2020-09-11 14:15:40.441 [LogStash::Runner] runner - The given configuration is invalid. Reason: Expected one of [ \t\r\n], "#", "=>" at line 17, column 8 (byte 373) after input {
  file {
    path => "/tmp/test2.xml"
    sincedb_path => "/dev/null"
    start_position => "beginning"
    codec => multiline {
      pattern => "^<name=*\>"
      auto_flush_interval => 1
      negate => "true"
      what => "previous"
      max_lines => 1000000000
      max_bytes => "500 MiB"
}}

filter {
  grok
[ERROR] 2020-09-11 14:15:40.444 [LogStash::Runner] Logstash - java.lang.IllegalStateException: Logstash stopped processing because of an error: (SystemExit) exit

line 17, column 8:

     16 filter {
     17   grok {
     18     match => { "message" => "%{alnum:alert_id}" }
     19 }}

Hummm...I just don't see any obvious issue. I've even retyped it all in case of some unseeable characters. BTW, line 1 was a comment which is why line 2 was INPUT.

Badger · September 11, 2020, 6:45pm

You need a third } on line 14. One to close the codec, one to close the file input, one to close the input section.

BTW, if you are wondering why you get the error at the point that you do ... the } to close the input section is missing, so when the parser sees "filter {" it thinks you are configuring a "filter" input, to go with your file input. (The realization no such input exists would come later in the initialization process when logstash starts loading plugins.) When the parser consumes "grok" it knows that has to be the grok option of a filter input, and therefore has to be followed by => to separate the name of the option from its value. Thus it complains that it is expecting "=>" (or a comment or a newline).

system · October 9, 2020, 6:45pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.