Logstash 6.4.1 Conditional Filter Problem


(U Hermann) #1

Hi, I am suddently confronted with this error in my ELK Installation. I have set up a filter based on the Content of an extra field I add in filebeat. I cannot get this to work, help is appreciated! Thanks, Udo

/var/log/logstash/logstash-plain.log:
[2018-10-26T13:46:19,699][ERROR][logstash.agent ] Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:01pip, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of #, {, ,, ] at line 12, column 35 (byte 232) after filter {\n if [fields.logart] == "fhem" {\n grok { match => [ "message" ", :backtrace=>["/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:41:in compile_imperative'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:49:incompile_graph'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:11:in block in compile_sources'", "org/jruby/RubyArray.java:2486:inmap'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:10:in compile_sources'", "org/logstash/execution/AbstractPipelineExt.java:149:ininitialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:22:in initialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:90:ininitialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline_action/create.rb:38:in execute'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:309:inblock in converge_state'"]}


/etc/logstash/conf.d/filter.conf:

input {
beats {
port => 5044
ssl => false
#ssl_certificate => "/etc/pki/client/cert.pem"
#ssl_key => "/etc/pki/client/key.pem"
}
}

filter {
if [fields.logart] == "fhem" {
grok { match => [ "message" => "%{SYSLOGPROG:fh_datetime} %{HOSTNAME:fh_device} %{JAVALOGMESSAGE:fh_message}" ] }
date {
match => [ "fh_datetime", "yyyy-MM-dd_HH:mm:ss", "ISO8601" ]
#match => ["timestamp_string", "ISO8601"]
target => "@timestamp"
timezone => "Europe/Zurich"
add_tag => [ "timecheck" ]
}
}
else
grok { match => [ "message" => "%{SYSLOGPROG:fh_datetime} %{HOSTNAME:fh_device} %{JAVALOGMESSAGE:fh_message}" ]
add_tag => [ "elsecheck" ] }
}

output {
elasticsearch {
hosts => ["127.0.0.1:9200"]
# sniffing => true
# manage_template => false
index => "%{[@metadata][beat]}-%{+YYYY.MM}"
}
}


(Magnus B├Ąck) #2

[fields][logart], not [fields.logart]. See https://www.elastic.co/guide/en/logstash/current/event-dependent-configuration.html.


(U Hermann) #3

Many thanks Magnus!


(system) #4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.