Issue while running the logstash

Akanksha2022 · June 10, 2022, 12:14pm

runner - The given configuration is invalid. Reason: Failed to parse right-hand side of conditional [file]/etc/logstash/conf.d/logstash-grok.conf:70:45:```

Akanksha2022 · June 10, 2022, 12:16pm

Is there any wrong with my config.

#1. Match 'message' field structure to corresponding fields. Doubled percent symbol is for correct ERB interpretation.
grok {
match => { "message" => '<%{POSINT:syslog_pri}>%{SPACE}%{NUMBER:syslog_version}%{SPACE}%{TIMESTAMP_ISO8601:syslog_timestamp}%{SPACE}%{DATA:syslog_cdn_id}%{SPACE}Apigee-Edge(%{SPACE}-%{SPACE})+%{GREEDYDATA:syslog_message}' }
keep_empty_captures => true
tag_on_failure => ["_grokparsefailure", "_grok_1"]
}

#2. Create custom field(s).
mutate {
add_field => { "collector_id" => "logstash_new_test7--0ce8bb6cf7572a765" }
}

#3. Amend "syslog_message" string to make it parsable further by 'json' filter.
mutate { gsub => ["syslog_message", "\u0000", "" ] }

#4. Json-ify the raw string data. Without 'target' option the JSON data will be stored at the root (top level) of the event.
json { source => "syslog_message" }

#5. Extract values from a field into their own fields by matching the pattern for /data api_base_path only and keep empty matches.
if [api_base_path] =~ //data/ {
grok {
match => ["path_suffix", "/(?[a-zA-Z]+).??(?<response_format>[a-zA-Z]+)??/?$"]
keep_empty_captures => true
tag_on_failure => ["_grokparsefailure", "_grok_2"]
}
}
#6. Use the date from 'request_timestamp' field as event's time in Kibana.

It's important to execute this filter after 'request_timestamp' has been created by grok/json filters.

date {
match => ["request_timestamp", "UNIX_MS"]
target => "@timestamp"
}

#7. Miscellaneous fields processing section.
if [http_x_forwarded_for] {
mutate { split => ["http_x_forwarded_for", ","] }
}
#8. Extract geolocation data based on IPv4/IPv6 addresses. If no match is found, "_geoip_lookup_failure" is added to tags.
if [remote_addr] {

# Copy 'remote_addr' field, strip spaces, text and split into array.
mutate { add_field => [ "remote_addr_copy", "%{remote_addr}" ] }
mutate { gsub      => [ "remote_addr_copy", " ", "" ] }
mutate { gsub      => [ "remote_addr_copy", "^[a-zA-Z_-]+$", "" ] }    # to avoid gsub'ing IPv6 addresses
mutate { split     => [ "remote_addr_copy", "," ] }

# Strip off local IP ranges and pass only external IPs list to geoip filter.
ruby {
  code => "begin
             ips_list = event.get('remote_addr_copy')
             filtered_list = []
             ips_list.each do |ip|
               if ip !~ /(?:10|127|172\.(?:1[6-9]|2[0-9]^C[01])|192\.168)\..*/
                   filtered_list.push(ip)
               end
             end
             event.set('remote_addr_copy', filtered_list)
           end"
}

system · July 8, 2022, 12:17pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.