Logstash.confのoutputのif文の設定について

Negi700 · March 12, 2020, 7:32am

Filebeatで、タグ名「Apache_access_log」をつけたログのみ、Logstashを経由して、Elastiscsearchに格納したいです。

下記のlogstash.confの設定をif文で、しているのですが、Logstashで、エラー出力されうまくいきません。

原因と対処のご教示をお願いします。

  logstash.conf
    input{
      beats {
      port => "5044"
      #delete defult tags
      include_codec_tag => false
      }
    }
      
    output{
        if [tags] == "Apache_access_log" {
            elasticsearch {
            hosts => ["http://elasticsearch-service-front:9200"]
            index => "statistics_access_log_%{+YYYY_MM}"
            document_type => "statistics_access_log"
      }
    }


Logstashのログ
[2020-03-12T07:05:54,473][ERROR][logstash.agent           ] Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:apache_access_log-pipeline, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of #, else, if, \", ', } at line 28, column 1 (byte 765) after output{\n    if [tags] == \"Apache_access_log\" {\n        elasticsearch {\n        hosts => [\"http://elasticsearch-service-front:9200\"]\n        index => \"statistics_access_log_%{+YYYY_MM}\"\n        document_type => \"statistics_access_log\"\n  }\n}\n", :backtrace=>["/usr/local/logstash-6.5.3/logstash-core/lib/logstash/compiler.rb:41:in `compile_imperative'", "/usr/local/logstash-6.5.3/logstash-core/lib/logstash/compiler.rb:49:in `compile_graph'", "/usr/local/logstash-6.5.3/logstash-core/lib/logstash/compiler.rb:11:in `block in compile_sources'", "org/jruby/RubyArray.java:2486:in `map'", "/usr/local/logstash-6.5.3/logstash-core/lib/logstash/compiler.rb:10:in `compile_sources'", "org/logstash/execution/AbstractPipelineExt.java:149:in `initialize'", "/usr/local/logstash-6.5.3/logstash-core/lib/logstash/pipeline.rb:22:in `initialize'", "/usr/local/logstash-6.5.3/logstash-core/lib/logstash/pipeline.rb:90:in `initialize'", "/usr/local/logstash-6.5.3/logstash-core/lib/logstash/pipeline_action/create.rb:42:in `block in execute'", "/usr/local/logstash-6.5.3/logstash-core/lib/logstash/agent.rb:92:in `block in exclusive'", "org/jruby/ext/thread/Mutex.java:148:in `synchronize'", "/usr/local/logstash-6.5.3/logstash-core/lib/logstash/agent.rb:92:in `exclusive'", "/usr/local/logstash-6.5.3/logstash-core/lib/logstash/pipeline_action/create.rb:38:in `execute'", "/usr/local/logstash-6.5.3/logstash-core/lib/logstash/agent.rb:317:in `block in converge_state'"]}

tsgkdt · March 12, 2020, 9:42am

Logstashの設定が提示されている通りであれば、 outputの閉じる括弧 ”}” が１つ足りないように見受けられます。

エラー内容にあります after output以降に出力されている文字列をみても、１つ足りないようです。

↓ このようにしてみてはどうでしょうか？

output {
    if [tags] == "Apache_access_log" {
        elasticsearch {
            hosts => ["http://elasticsearch-service-front:9200"]
            index => "statistics_access_log_%{+YYYY_MM}"
            document_type => "statistics_access_log"
        }
    }
}

Negi700 · March 12, 2020, 10:27am

ありがとうございます。
解決しました。

system · April 9, 2020, 10:32am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.