Expected one of #

Vivek_Samaga · April 4, 2017, 9:57am

Am using conditionals for output my config looks as below

output{
if[type] == "access_log"
{
elasticsearch{
hosts => ["10.190.188.174:9200"]
index => "logstash-%{+YYYY.MM.dd}"
}
}
else if [type] == "BPM"
{
elasticsearch{
hosts => ["10.190.188.174:9200"]
index => "logstash-%{+YYYY.MM.dd}"
}
}
else [type] == "syslog"
{
elasticsearch{
hosts => ["10.190.188.174:9200"]
index => "logstash-%{+YYYY.MM.dd}"
}
}
}

warkolm · April 4, 2017, 9:57am

If you are getting an error, providing the complete thing would be helpful.

Vivek_Samaga · April 4, 2017, 9:58am

Expected one of #, if, { at line 170, column 6 (byte 5578) after output{

Vivek_Samaga · April 4, 2017, 9:58am

You mean whole of config file?

warkolm · April 4, 2017, 9:58am

Ok, so where is the rest of the config?

Vivek_Samaga · April 4, 2017, 9:59am

input {
beats {
port => 5044
}
}

filter {
if "access_logs" in [tags] {
grok {
match => {
"message" => [
"%{IPORHOST:x_forwarded_for} %{IPORHOST:load_balancer} %{USER:ident} %{USER:auth} [%{HTTPDATE:timestamp}] "(?:%{WORD:verb}%{SPACE}
/%{WORD:application}}%{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})" %{NUMBER:response} (?:%{NUMBER:bytes}|-)
(?:%{WORD:ServerHost}:%{WORD:ServerPort})",
"%{IPORHOST:clientip} %{USER:ident} %{USER:auth} [%{HTTPDATE:timestamp}] "(?:%{WORD:verb} /%{WORD:application}%{NOTSPACE:request}(?:
HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})" %{NUMBER:response} (?:%{NUMBER:bytes}|-) (?:%{WORD:ServerHost}:%{WORD:ServerPort})",
"%{IPORHOST:clientip} %{USER:ident} %{USER:auth} [%{HTTPDATE:timestamp}] "(?:%{WORD:verb} /%{WORD:application}%{NOTSPACE:request}(?:
HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})" %{NUMBER:response} (?:%{NUMBER:bytes}|-)"
]
}
}
}
if "BPM" in [tags] {
grok {
match => {
"message" => [
"%{SYSLOG5424SD}%{SPACE}%{BASE16NUM:ThreadID}%{SPACE}%{WORD:ShortName}%{SPACE}%{WORD:EventType}%{SPACE}%{WORD:MessageIdentifier}:%{SPACE}%{GREEDYDATA:event}",
"%{SYSLOG5424SD}%{SPACE}%{WORD:ThreadID}%{SPACE}%{WORD:Logger}%{SPACE}%{WORD:MessageType}%{SPACE}%{GREEDYDATA:event}"
]
}
}
}
if "syslog" in [type][tags] {
grok {
match => {
"message" => [
"%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:[%{POSINT:syslog_pid}])?:
%{GREEDYDATA:syslog_message}"
]
}
}
}
}

output {
if[type] == "access_log"
{
elasticsearch {
hosts => ["10.190.188.174:9200"]
index => "logstash-%{+YYYY.MM.dd}"
}
}
else if [type] == "BPM"
{
elasticsearc {
hosts => ["10.190.188.174:9200"]
index => "logstash-%{+YYYY.MM.dd}"
}
}
else [type] == "syslog"
{
elasticsearc {
hosts => ["10.190.188.174:9200"]
index => "logstash-%{+YYYY.MM.dd}"
}
}
}

Vivek_Samaga · April 4, 2017, 10:02am

i tried with if condition outside the output as well.
ANything needs to be changed?

Vivek_Samaga · April 4, 2017, 10:17am

@warkolm any inputs??

system · May 2, 2017, 10:17am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.