Logstash agent: Cannot create pipeline error


(Nikhil Kapoor ) #1

Hi Everyone,

I want to filter apache log using grok filter.

eg:-
64.242.88.10 - - [07/Mar/2004:16:05:49 -0800] "GET /twiki/bin/edit/Main/Double_bounce_sender?topicparent=Main.ConfigurationVariables HTTP/1.1" 401 12846

I am using the below given logstash.conf file:-
input {stdin { } }

filter{
grok{
match => { "message" => "%{IPORHOST:clientip} %{USER:ident} %{USER:auth} [%{HTTPDATE:timestamp}] "%{WORD:verb} %{DATA:request} HTTP/%{NUMBER:httpversion}" %{NUMBER:response:int} (?:-|%{NUMBER:bytes:int})" }
}
}

output {
stdout { codec => rubydebug }
}

But getting an error:-
[2018-06-04T12:39:44,451][ERROR][logstash.agent ] Cannot create pipeline {:reason=>"Expected one of #, {, } at line 5, column 105 (byte 141) after filter{\n grok{ \n match => { "message" => "%{IPORHOST:clientip} %{USER:ident} %{USER:auth} \[%{HTTPDATE:timestamp}\] "", :backtrace=>["/root/logstash/logstash-5.4.3/logstash-core/lib/logstash/pipeline.rb:50:in initialize'", "/root/logstash/logstash-5.4.3/logstash-core/lib/logstash/pipeline.rb:145:ininitialize'", "/root/logstash/logstash-5.4.3/logstash-core/lib/logstash/agent.rb:286:in create_pipeline'", "/root/logstash/logstash-5.4.3/logstash-core/lib/logstash/agent.rb:95:inregister_pipeline'", "/root/logstash/logstash-5.4.3/logstash-core/lib/logstash/runner.rb:274:in execute'", "/root/logstash/logstash-5.4.3/vendor/bundle/jruby/1.9/gems/clamp-0.6.5/lib/clamp/command.rb:67:inrun'", "/root/logstash/logstash-5.4.3/logstash-core/lib/logstash/runner.rb:185:in run'", "/root/logstash/logstash-5.4.3/vendor/bundle/jruby/1.9/gems/clamp-0.6.5/lib/clamp/command.rb:132:inrun'", "/root/logstash/logstash-5.4.3/lib/bootstrap/environment.rb:71:in `(root)'"]}
[2018-06-04T12:39:44,459][DEBUG][logstash.agent ] starting agent
[2018-06-04T12:39:44,463][DEBUG][logstash.agent ] Starting puma
[2018-06-04T12:39:44,463][DEBUG][logstash.agent ] Trying to start WebServer {:port=>9600}
[2018-06-04T12:39:44,464][DEBUG][logstash.api.service ] [api-service] start
[2018-06-04T12:39:44,477][DEBUG][logstash.instrument.periodicpoller.os] PeriodicPoller: Stopping
[2018-06-04T12:39:44,478][DEBUG][logstash.instrument.periodicpoller.jvm] PeriodicPoller: Stopping
[2018-06-04T12:39:44,478][DEBUG][logstash.instrument.periodicpoller.persistentqueue] PeriodicPoller: Stopping

Logstash fails to start.

Anyone please help me this issue!! I am not able to understand what's wrong in the grok expression?

Regards
Nikhil Kapoor


(Nikhil Kapoor ) #2

Issue resolved by using below grok filter:-
grok{
match => { "message" => "%{COMMONAPACHELOG}" }
}


(system) #3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.