i'm using logstash for parsing tomcat log file but since i wrote grok pattern for this log 127.0.0.1 - - [11/Dec/2018:11:01:59 +0330] "GET /parabank/template.css HTTP/1.1" 200 9571 and my grok pattern is ^%{IPORHOST:clientip} %{USER:ident} %{USER:auth} \[%{HTTPDATE:timestamp}\] "%{WORD:verb} %{DATA:request} HTTP/%{NUMBER:httpversion}" %{NUMBER:response:int} (?:-|%{NUMBER:bytes:int})$ when i starting logstash i getting an error as follows:
Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of #, {, } at line 8, column 110 (byte 181) after filter {\n grok {\n match => { "message" => "^%{IPORHOST:clientip} %{USER:ident} %{USER:auth} \[%{HTTPDATE:timestamp}\] "", :backtrace=>["/opt/logstash-6.5.4/logstash-core/lib/logstash/compiler.rb:41:in compile_imperative'", "/opt/logstash-6.5.4/logstash-core/lib/logstash/compiler.rb:49:incompile_graph'", "/opt/logstash-6.5.4/logstash-core/lib/logstash/compiler.rb:11:in block in compile_sources'", "org/jruby/RubyArray.java:2486:inmap'", "/opt/logstash-6.5.4/logstash-core/lib/logstash/compiler.rb:10:in compile_sources'", "org/logstash/execution/AbstractPipelineExt.java:149:ininitialize'", "/opt/logstash-6.5.4/logstash-core/lib/logstash/pipeline.rb:22:in initialize'", "/opt/logstash-6.5.4/logstash-core/lib/logstash/pipeline.rb:90:ininitialize'", "/opt/logstash-6.5.4/logstash-core/lib/logstash/pipeline_action/create.rb:42:in block in execute'", "/opt/logstash-6.5.4/logstash-core/lib/logstash/agent.rb:92:inblock in exclusive'", "org/jruby/ext/thread/Mutex.java:148:in synchronize'", "/opt/logstash-6.5.4/logstash-core/lib/logstash/agent.rb:92:inexclusive'", "/opt/logstash-6.5.4/logstash-core/lib/logstash/pipeline_action/create.rb:38:in execute'", "/opt/logstash-6.5.4/logstash-core/lib/logstash/agent.rb:317:inblock in converge_state'"]}
PLEASE help me to find out what's going on. i'm trying several ways but i doesn't work.
Error message says you have an issue with your config file. Please verify your config file. Line 8, column 110.
thank you for the reply
I applied some changes, when I remove " in the grok pattern it's running fine but i still getting _grokparsfailure, how can i use "" in pattern without conflict with "" for the origin message? thank you
Try escaping the " :
\"
thank you, it's worked.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.