Logstash config error Expected one of [ \\t\\r\\n], \"#\", \"{\", \",\", \"]\" at line 10, column 83

Tejas_Bhosale · November 7, 2020, 3:09pm

Hello,

I am using Logstash to ingest nginx into ElasticSearch. I am using a Linux Machine but i am getting error when try to start logstatsh service

elk logstash[1233]: [2020-11-07T20:25:03,741][ERROR][logstash.agent ] Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of [ \t\r\n], "#", "{", ",", "]" at line 10, column 83 (byte 183) after filter {\n grok {\n match => [ "message" , "%{IPV4:remote_addr} - - \[%{HTTPDATE:log_timestamp}\] "", :backtrace=>["/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:32:in compile_imperative'", "org/logstash/execution/AbstractPipelineExt.java:183:in initialize'", "org/logstash/execution/JavaBasePipelineExt.java:69:in initialize'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:47:in initialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline_action/create.rb:52:in execute'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:357:in block in converge_state'"]}

This is pipeline for logstash nginx
`
input {
beats {
port => 5400
host => "..."
}
}

filter {
grok {
match => [ "message" , "%{IPV4:remote_addr} - - [%{HTTPDATE:log_timestamp}] "%{HOST:http_host}" "%{WORD:request_method} %{DATA:uri} HTTP/1.1" %{NUMBER:response} (?:%{NUMBER:bytes}|-) "-" %{QS:agent} "%{IP:clientip}" %{NUMBER:upstream_connect_time} %{NUMBER:upstream_header_time} %{NUMBER:upstream_response_time} %{NUMBER:request_time}" ]
overwrite => [ "message" ]
}
mutate {
convert => ["response", "integer"]
convert => ["bytes", "integer"]
convert => ["responsetime", "float"]
rename => ["agent", "filebeat_agent" ]
}
geoip {
source => "clientip"
add_tag => [ "nginx-geoip" ]
}
date {
match => [ "timestamp" , "dd/MMM/YYYY:HH:mm:ss Z" ]
remove_field => [ "timestamp" ]
}
useragent {
source => "agent"
}
}

output {
elasticsearch {
hosts => ["...:9200"]
index => "weblogs-%{+YYYY.MM.dd}"
document_type => "nginx_logs"
}
stdout { codec => rubydebug }
}
`
Any help will be appreciate

That grok pattern i tested on grok debugger tool website with nginx log pattern

Badger · November 7, 2020, 3:46pm

If you have double quotes in your pattern you need to either escape them with backslash or surround the string with single quotes.

match => [ "message" , '%{IPV4:remote_addr} - - [%{HTTPDATE:log_timestamp}] "%{HOST:http_host}" "%{WORD:request_method} %{DATA:uri} HTTP/1.1" %{NUMBER:response} (?:%{NUMBER:bytes}|-) "-" %{QS:agent} "%{IP:clientip}" %{NUMBER:upstream_connect_time} %{NUMBER:upstream_header_time} %{NUMBER:upstream_response_time} %{NUMBER:request_time}' ]

Tejas_Bhosale · November 9, 2020, 7:39am

Thanks it worked and fixed my issue ..

system · December 7, 2020, 7:39am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.