Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of #, => at line 6,

Elastic Stack Logstash
1

Hello,
My code for the logstash-simple.conf file is as follows:-
input {
file {
type => "mylog"
path => "C:\Softwares\ELK\custom-*.log"
mode => "tail"
start_ position => "beginning"
}
}

    filter {
    	if ([type]= "mylog") {
    		grok {

    			match => { "message" => [
    				" (?<DateTime>%{MONTHDAY)-%{MONTH)-%{YEAR )%{TIME )%{WORD))\t (?<Message>%{WORD)%{WORD)%{WORD))\t%{NOMBER :Argl)\t%{NOMBER :Arg2)\t%{WORD:Operation)\t%{GREEDYDATA :params)",
    				" (?<DateTime>%{MONTHDAY)-%{MONTH)-%{YEAR )%{TIME )%{WORD))\t (?<Message>%{WORD)%{WORD))\t%{NOMBER :Argl)\t%{NOMBER :Arg2)\t%{WORD:Operation)",
    				" (?<DateTime>%{MONTHDAY)-%{MONTH)-%{YEAR) l%1TIME) %{WORD))\t (?<Message>%{WORD))\t%{NOMBER :Argl)\t%{NOMBER :Arg2)\t%{WORD:Operation)"
    			] }

    		}

    		if ([Message] == "custommessage") {

    			mutate { add_field => [ "NewField", "Hello" ] }

    		}

    		else if ([Message] == "another message") {

    			mutate {

    				split => ["Message" , " "]

    				add_field => ["FirstPart", "%{[Message][0]}", "SecondPart", "%{[Message][0]}" ]

    			}

    		}

    		else if ([Message] == "one more message") {
    			grok {
    				match => [ "params", "%{WORD:Arg3)\t%{WORD:Arg4)\t%{WORD:Arg5)" ]
    			}
    		}

    		mutate { remove_field => [ "params" ] }
    	}
    }

    output {
      elasticsearch {
        hosts => "localhost:9200"
        manage_template => false
        index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
        document_type => "%{[@metadata][type]}"
      }
    }

The error i am getting in the logs is as follows:-

[2019-04-18T06:55:15,823][WARN ][logstash.config.source.multilocal] Ignoring the 'pipelines.yml' file because modules or command line options are specified
[2019-04-18T06:55:15,852][INFO ][logstash.runner ] Starting Logstash {"logstash.version"=>"7.0.0"}
[2019-04-18T06:55:17,169][ERROR][logstash.agent ] Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of #, => at line 6, column 10 (byte 108) after input {\r\n\tfile {\r\n\t\ttype => "mylog"\r\n\t\tpath => "C:\Softwares\ELK\custom-*.log"\r\n\t\tmode => "tail"\r\n\t\tstart_ ", :backtrace=>["C:/Softwares/ELK/Logstash/logstash-7.0.0/logstash-core/lib/logstash/compiler.rb:41:in compile_imperative'", "C:/Softwares/ELK/Logstash/logstash-7.0.0/logstash-core/lib/logstash/compiler.rb:49:incompile_graph'", "C:/Softwares/ELK/Logstash/logstash-7.0.0/logstash-core/lib/logstash/compiler.rb:11:in block in compile_sources'", "org/jruby/RubyArray.java:2577:inmap'", "C:/Softwares/ELK/Logstash/logstash-7.0.0/logstash-core/lib/logstash/compiler.rb:10:in compile_sources'", "org/logstash/execution/AbstractPipelineExt.java:151:ininitialize'", "org/logstash/execution/JavaBasePipelineExt.java:47:in initialize'", "C:/Softwares/ELK/Logstash/logstash-7.0.0/logstash-core/lib/logstash/java_pipeline.rb:23:ininitialize'", "C:/Softwares/ELK/Logstash/logstash-7.0.0/logstash-core/lib/logstash/pipeline_action/create.rb:36:in execute'", "C:/Softwares/ELK/Logstash/logstash-7.0.0/logstash-core/lib/logstash/agent.rb:325:inblock in converge_state'"]}
[2019-04-18T06:55:17,802][INFO ][logstash.agent ] Successfully started Logstash API endpoint {:port=>9600}
[2019-04-18T06:55:22,727][INFO ][logstash.runner ] Logstash shut down.

2

Your path is wrong I think. If I'm not mistaken you have to use / on Windows as well as Unix. So : C:/Software/ELK/custom-*.log

3

Thanks a ton! It worked.. :slight_smile:

4

Whilst it is true that you have to use / rather than , this specific error message is caused by the space between start_ and position.

5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.