Logstash Configuration error - logstash shut down

deemanu · August 26, 2019, 3:15pm

Hi , I am trying to parse a log line (log file customized by me ) but there is some error msg

Sending Logstash logs to C:/Users/mau/Desktop/ELK/logstash-7.3.0/logs which is now configured via log4j2.properties
[2019-08-26T11:09:28,232][WARN ][logstash.config.source.multilocal] Ignoring the 'pipelines.yml' file because modules or command line options are specified
[2019-08-26T11:09:28,251][INFO ][logstash.runner ] Starting Logstash {"logstash.version"=>"7.3.0"}
[2019-08-26T11:09:29,473][ERROR][logstash.agent ] Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of #, => at line 11, colum
=> [".C:\Users\manu\Desktop\ELK\Patterns\Testpatterns.txt"]\n match => { "%{MSG:Message}\s*\| %{N:RequestedID} %{GREEDYDATA} %{WORD:GetMethod} \| %{N:ResponseTime} %{GREEDYDATA} %{URI:URIRequested} %{GREEDYDATA}
ATA}" ", :backtrace=>["C:/Users/manu/Desktop/ELK/logstash-7.3.0/logstash-core/lib/logstash/compiler.rb:41:in compile_imperative'", "C:/Users/manu/Desktop/ELK/logstash-7.3.0/logstash-core/lib/logstash/compiler.rb:49:i gstash-7.3.0/logstash-core/lib/logstash/compiler.rb:11:inblock in compile_sources'", "org/jruby/RubyArray.java:2577:in map'", "C:/Users/manu/Desktop/ELK/logstash-7.3.0/logstash-core/lib/logstash/compiler.rb:10:incompile_sour
in initialize'", "org/logstash/execution/JavaBasePipelineExt.java:47:ininitialize'", "C:/Users/manu/Desktop/ELK/logstash-7.3.0/logstash-core/lib/logstash/java_pipeline.rb:24:in initialize'", "C:/Users/manu/Desktop/ n/create.rb:36:inexecute'", "C:/Users/manu/Desktop/ELK/logstash-7.3.0/logstash-core/lib/logstash/agent.rb:325:in `block in converge_state'"]}
[2019-08-26T11:09:29,833][INFO ][logstash.agent ] Successfully started Logstash API endpoint {:port=>9600}
[2019-08-26T11:09:34,909][INFO ][logstash.runner ] Logstash shut down.

.......................................................

my grok is

input {
file {
path => ["C:\Users\manu\Desktop\ELK\logstash-7.3.0\config\test.conf"]
start_position => "beginning"
}
}

filter {
grok {
patterns_dir => [".C:\Users\manu\Desktop\ELK\Patterns\Testpatterns.txt"]
match => { "%{MSG:Message}\s*| %{N:RequestedID} %{GREEDYDATA} %{WORD:GetMethod} | %{N:ResponseTime} %{GREEDYDATA} %{URI:URIRequested} %{GREEDYDATA} %{WORD:Responsephrase} %{GREEDYDATA} %{ACC:Action} %{GREEDYDATA}" }
}
if "_grokparserfailure" in [tags] {
drop{}
}

output {
stdout {
codec => rubydebug
}
}

I have customized grok pattern ( regex ) which i saved in one location and included path above in patterns_dir .

Badger · August 26, 2019, 3:37pm

deemanu:

match => { "%{MSG:Message}\s*| %{N:RequestedID} %{GREEDYDATA} %{WORD:GetMethod} | %{N:ResponseTime} %{GREEDYDATA} %{URI:URIRequested} %{GREEDYDATA} %{WORD:Responsephrase} %{GREEDYDATA} %{ACC:Action} %{GREEDYDATA}" }

You need to tell it what to match that against. For example

match => { "message" => "%{MSG:Message}\s*| %{N:RequestedID} %{GREEDYDATA} %{WORD:GetMethod} | %{N:ResponseTime} %{GREEDYDATA} %{URI:URIRequested} %{GREEDYDATA} %{WORD:Responsephrase} %{GREEDYDATA} %{ACC:Action} %{GREEDYDATA}" }

system · September 23, 2019, 3:37pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.