Grok Configuration error

Shaooli · April 23, 2019, 7:34pm

Hello, i am very new to this, i guess this is a simple one, but i still need your help.
when running logstash i get the below configuration error:

[2019-04-23T22:27:14,022][ERROR][logstash.agent ] Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of #, => at line 22, column 10 (byte 433) after filter {\r\n grok {\r\n match => { "message" => "%{WORD:sevirity} %{WORD:server} %{GREEDYDATA:text}%{NUMBER:latency}" }\r\n\r\n mutate ", :backtrace=>["/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:41:in compile_imperative'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:49:incompile_graph'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:11:in block in compile_sources'", "org/jruby/RubyArray.java:2577:inmap'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:10:in compile_sources'", "org/logstash/execution/AbstractPipelineExt.java:151:ininitialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:22:in initialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:90:ininitialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline_action/create.rb:43:in block in execute'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:96:inblock in exclusive'", "org/jruby/ext/thread/Mutex.java:165:in synchronize'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:96:inexclusive'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline_action/create.rb:39:in execute'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:334:inblock in converge_state'"]}
[2019-04-23T22:27:15,891][INFO ][logstash.agent ] Successfully started Logstash API endpoint {:port=>9600}

And this is my config file:
input {
file {
path => "/var/log/apache.log"
start_position => "beginning"
}
}

filter {
grok {
match => { "message" => "%{WORD:sevirity} %{WORD:server} %{GREEDYDATA:text}%{NUMBER:latency}" }

mutate {
add_field => { "token" => "ulQScJxhoEUuCqEIeZhZwmbzuXGBrntQ" }

}
}

Output {
tcp {
host => "listener.logz.io"
port => 5050
codec => json_lines
}

I've been told this may be a spacing issue, but i am not sure

Thanks

Badger · April 23, 2019, 8:25pm

You are missing a }

grok {
match => { "message" => "%{WORD:sevirity} %{WORD:server} %{GREEDYDATA:text}%{NUMBER:latency}" }
} <== Insert this here
mutate {

Shaooli · April 24, 2019, 1:14pm

Thanks!! I also find a capital "O" there. all is fixed and I do not see the configuration errors anymore,
However, now I see (again I admit) the elastic unreachable error (localhost:9200)
this is what i get:
sudo tail -f /var/log/logstash/logstash-plain.log
[2019-04-24T15:21:38,192][WARN ][logstash.outputs.elasticsearch] Attempted to resurrect connection to dead ES instance, but got an error. {:url=>"http://localhost:9200/", :error_type=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::HostUnreachableError, :error=>"Elasticsearch Unreachable: [http://localhost:9200/][Manticore::SocketException] Connection refused (Connection refused)"}

which is strange since before I manage to run the config and get the configuration error.
I run ubuntu using VirtualBox
this is my elastic search relevant .yml file (no changes in it besides those 2):

---------------------------------- Network -----------------------------------

Set the bind address to a specific IP (IPv4 or IPv6):

network.host: localhost

Set a custom port for HTTP:

http.port: 9200

For more information, consult the network module documentation.

My logstash.yml

------------ Data path ------------------

Which directory should be used by logstash and its plugins

for any persistent needs. Defaults to LOGSTASH_HOME/data

path.data: /var/lib/logstash

------------ Debugging Settings --------------

Options for log.level:

* fatal

* error

* warn

* info (default)

* debug

* trace

log.level: info

path.logs: /var/log/logstash

and my hosts file:

The following lines are desirable for IPv6 capable hosts

::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
10.0.2.15 hava-VirtualBox

should i change the localhost in the elastic yml to be my VirtualBox IP?

system · May 22, 2019, 1:14pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
[SOLVED]Logstash configuration problem identification Logstash	2	9839	September 27, 2018
Logstash Configuration Error Logstash	3	940	October 1, 2020
LogStash::ConfigurationError", :message=>"Expected one of [ \\t\\r\\n], \"#\", \"if\", [A-Za-z0-9_-], '\"', \"'\", \"}\" Logstash	13	5310	September 21, 2022
ERROR][logstash.agent ] Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of #, { at line 24, column 7 Logstash	7	1230	April 23, 2019
Configuration error Logstash	4	4227	March 15, 2018