Indentation error on filebeat conf

Guillaume_D · June 23, 2022, 3:09pm

Hi, I want to do some basic process with filebeat on my logs but I have some indentations problemes I just don't know how to resolve.

Here is the current stat of the conf file, input and output has been sensored but I already know the problems are in the processors


processors:
  - if: 
      contains:
        log.file.path: "path1"
    then:
      - drop_event:
          when:
            - regexp:
              message: "^!"
        #create criticity and clean messsage field 
      - dissect:
          tokenizer: "[%{criticity}] [%{timestamp}] %{msg}"
          field: "message"
          target_prefixe: ""
          overwrite_keys: true
      - drop_field:
          fields: ["message"]
      - rename:
          fields:
            - from: "msg"
              to: "message"
          ignore_missing: true
          fail_on_error: true
  - if: 
      contains:
        log.file.path: "path2"
    then:
      - dissect:
          tokenizer: '%{ip_adresse} - - [%{@timestamp}] "%{verb} / %{target}"   %{return_code|integer} %{answer_lenght|integer} "%{}" "%{?%referer}"   %{call_lenght|integer}'
          field: "message"
          target_prefixe: ""
          overwrite_keys: true

and here is my current error :

filebeat]# filebeat test config -c filebeat.yml
Exiting: error initializing processors: failed to make if/then/else processor: failed to initialize condition: missing or invalid condition

sudhagar_ramesh · June 24, 2022, 3:57am

Hello @Guillaume_D

Welcome to Elastic Community !!!

There are no indentation error. You can also validate your code using any of yml validator.
The error message means that there is an invalid condition specified in processors.

When using if-then-else processors we should not use when for the conditions

Hence try the below

processors:
  - if: 
      contains:
        log.file.path: "path1"
    then:
      - drop_event:
            - regexp:
              message: "^!"

if this above code block doesn't work then change your code accordingly but without using "when"

For more information , refer the below links:

Keep Posted !!! Thanks !!!

Guillaume_D · June 24, 2022, 8:10am

Thanks @sudhagar_ramesh the file conf dooesn't show error anymore !
Small probleme is it doesn't do what it was made for, none of the processors inside the if are used.

Ther may be a probleme in the condition. the file path I must spécifie in my condition is the one of the log file were I get my logs from right ?

current stat of the conf:
`#processors for Oscare
processors:

if:
contains:
log.file.path: "path1"
then:
- drop_event:
  - regexp:
  message: "^!"
  #create criticity and clean messsage field
- dissect:
  tokenizer: "[%{criticity}] [%{timestamp}] %{msg}"
  field: "message"
  target_prefixe: ""
  overwrite_keys: true
- drop_field:
  fields: ["message"]
- rename:
  fields:
  - from: "msg"
  to: "message"
  ignore_missing: true
  fail_on_error: true
if:
contains:
log.file.path: "path2"
then:
- dissect:
  tokenizer: '%{ip_adresse} - - [%{@timestamp}] "%{verb} / %{target}" %{return_code|integer} %{answer_lenght|integer} "%{}" "%{?%referer}" %{call_lenght|integer}'
  field: "message"
  target_prefixe: ""
  overwrite_keys: true`

sudhagar_ramesh · June 24, 2022, 9:03am

Hello @Guillaume_D

Yes, you should also have to make the change in the log.file.path

that should be like

  - if: 
      contains:
          paths:
	    - /var/log/messages

Keep Posted!!! Thanks !!!

For more information about path, refer below link

Guillaume_D · June 24, 2022, 4:58pm

thanks @sudhagar_ramesh it all works now!!!

system · July 22, 2022, 6:59pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.