Issue with my logstash conf file

rattisyam · February 8, 2018, 7:18am

Hi Team,
I am very new to ELK stack.
I am trying to parse jenkins XML (buil.xml) logs through xml parser. but i could not make it.
could you please help me on this.
below is my conf file:

input {
file {
path => "/var/lib/jenkins/jobs//builds//build.xml"
sincedb_path => "/dev/null"
start_position => "beginning"
type => "jenkinsxmllog"
}
}

filter {
xml {
store_xml => true
source => message
target => parsed_xml
force_array => false
remove_field => "message"
add_field => { "status" => "%{[parsed_xml][result]} }
add_field => { "build_duration" => "%{[parsed_xml][duration]} }
add_field => { "timestamp" => "%{[parsed_xml][timestamp]} }
}

    mutate {
    convert => { "status" => "string" }
    convert => { "timestamp" => "string" }
    convert => { "build_duration" => "integer" }

    }

}

output {
elasticsearch {
hosts => ["54.89.237.179:9200"]
index => "jenkinsxmldemo2"
document_type => "demoxml2"
}

stdout { codec => rubydebug }

}

Thanks in advance.

Regards,
Syam

warkolm · February 8, 2018, 7:22am

What problems are you having?

magnusbaeck · February 8, 2018, 8:05am

The file input reads files line by line. To read a whole file you need to use a multiline codec. Examples have been posted in the past.

rattisyam · February 8, 2018, 8:25am

configurations error in logstash logs.

"[2018-02-08T08:23:08,677][ERROR][logstash.agent ] Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of #, {, } at line 196, column 19 (byte 3267) after filter {\n xml {\n store_xml => true\n source => "message"\n target => "parsed_xml"\n\t\tforce_array => false\n\t\tremove_field => "message"\n\t\tadd_field => { "status" => "%{[parsed_xml][result]} }\t\n\t\tadd_field => { "", :backtrace=>["/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:42:in compile_imperative'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:50:incompile_graph'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:12:in block in compile_sources'", "org/jruby/RubyArray.java:2486:inmap'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:11:in compile_sources'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:51:ininitialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:171:in initialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline_action/create.rb:40:inexecute'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:335:in block in converge_state'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:141:inwith_pipelines'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:332:in block in converge_state'", "org/jruby/RubyArray.java:1734:ineach'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:319:in converge_state'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:166:inblock in converge_state_and_update'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:141:in with_pipelines'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:164:inconverge_state_and_update'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:90:in execute'", "/usr/share/logstash/logstash-core/lib/logstash/runner.rb:343:inblock in execute'", "/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/stud-0.0.23/lib/stud/task.rb:24:in `block in initialize'"]}
"

rattisyam · February 8, 2018, 8:25am

thank you.could u please provide the example link.

magnusbaeck · February 8, 2018, 9:39am

add_field => { "status" => "%{[parsed_xml][result]} }
add_field => { "build_duration" => "%{[parsed_xml][duration]} }
add_field => { "timestamp" => "%{[parsed_xml][timestamp]} }

There's a missing double quote on each line here.

could u please provide the example link.

I don't have time to dig that up for you.

system · March 8, 2018, 9:39am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.