Hey guys,
Sorry if this is a little basic. But I wrote this filter and stashed it into it's own config file:
filter {
if [type] == "syslog" {
grok {
match => { "message" => "\{", "%{QS}:%{BASE16FLOAT:timestamp}" + "," + "%{QS}:%{QS:SyslogDrainUrlsController}" + "," + "%{QS}:{QS:loglevel}" + "," + "%{QS}:{QS:source}" + "," + "%{QS}:{%{QS}:%{QS:request_guid}}" + "," + "%{QS}:{QS:thread_id}" + "," + "%{QS}:{QS:fiber_id}" + "%{QS}:{QS:process_id}" + "%{QS}:{QS:file}" + "," + "%{QS}:%{NUMBER:lineno}" + "," + "%{QS}:{QS:file}" + "\}" } ,
add_tag => "cctl"
}
}
}
I'm very eager to try it out and see if it works. However it's failing a basic config test:
# /opt/logstash/bin/logstash --configtest --config 02-logstash-syslog.conf
Error: Expected one of #, {, } at line 4, column 33 (byte 79) after filter {
if [type] == "syslog" {
grok {
match => { "message" => "\}"
Can anyone spot what's going wrong there? Bummer I'm not sure where the error is.
This is the log entry that I'm trying to match, in case anyone is interested:
{"timestamp":1444663721.004162,"message":"dispatch VCAP::CloudController::SyslogDrainUrlsController get /v2/syslog_drain_urls","log_level":"debug","source":"cc.api","data":{"request_guid":"0c0395a8-8d54-42dd-5cc7-f3b4a2c1fad9::78713c18-6a70-4872-9b19-37d629d68f09"},"thread_id":69959711038800,"fiber_id":69959731966880,"process_id":4819,"file":"/var/vcap/packages/cloud_controller_ng/cloud_controller_ng/lib/cloud_controller/rest_controller/routes.rb","lineno":12,"method":"block in define_route"}
Thanks