Logstash config error reason=>"Expected one of #, \", ', }

Saurabh_Jambhule · July 15, 2016, 7:25am

Why this error is coming...
input {
file {
path => [ "Documents/apache-sample-dataset.log" ]
type => "apache"
start_position => "beginning"
}
}

filter {
if [type] == "apache" {
grok {
match => ["message", "%{COMBINEDAPACHELOG}"]
}
}
date {
match => [ "timestamp" , "dd/MMM/yyyy:HH:mm:ss Z" ]
}
geoip {
source => "clientip"
target => "geoip"
database => "Documents/GeoLiteCity.dat"
add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
}
mutate {
convert => [ "[geoip][coordinates]", "float" ]
}
}

output {
elasticsearch {
host => localhost
}
}

warkolm · July 15, 2016, 7:29am

What line is it reporting on?

Saurabh_Jambhule · July 15, 2016, 7:34am

at line 3, column 1 (byte 20) after input \t{\n \tfile\t{\n

cb2015 · July 15, 2016, 6:48pm

I can't see the root of your problem, but one thing that has helped me immensely in troubleshooting a config file is to comment out everything but the first step, and then "build" the config back up from there, doing the --configtest thing every step. So you could start with
input {
file {
path => [ "Documents/apache-sample-dataset.log" ]
type => "apache"
start_position => "beginning"
}
}

#filter {
#if [type] == "apache" {
#grok {
#match => ["message", "%{COMBINEDAPACHELOG}"]
#}
#}
#date {
#match => [ "timestamp" , "dd/MMM/yyyy:HH:mm:ss Z" ]
#}
#geoip {
#source => "clientip"
#target => "geoip"
#database => "Documents/GeoLiteCity.dat"
#add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
#add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
#}
#mutate {
#convert => [ "[geoip][coordinates]", "float" ]
#}
#}

#output {
#elasticsearch {
#host => localhost
#}
#}

and add on from there

anhlqn · July 16, 2016, 2:56pm

You need to use a full path for this file, I think. Windows or Linux?

Saurabh_Jambhule · July 24, 2016, 7:09pm

Thank you. It is now working.

manopmk · March 21, 2017, 1:53pm

Im Using mac im unable to configure apache log.
im getting error
" Error: Expected one of #, ", ', -, [, {, ] at line 4, column 14 (byte 33) after input { file { path => [

i tried
path => "/Users/tcstsb3/Downloads/log/access_log.log"

path => ["/user....../apache.log"]

path => ["user....../apache.log"]

same error only im getting,

ANY ONE PLZ HELP ME

input {

file {
path => [“/Users/tcstsb3/Downloads/log/access_log”]
type => "apache"
}

}

filter {

grok {
  match => { “message” => “%{COMBINEDAPACHELOG}” }
}

}

output {
elasticsearch {
hosts => [“10.145.40.24:9200”]
}
stdout { codec => rubydebug }
}

warkolm · March 21, 2017, 8:20pm

Please start your own thread.