Logstash ConfigurationError - Expect character

stefanocog · December 2, 2022, 10:24am

Hi, I've this pattern that match correctly on https://grokconstructor.appspot.com

"%{TIMESTAMP_ISO8601:timestamp}"\|"%{DATA:tz}"\|"%{GREEDYDATA:trans}\: %{GREEDYDATA:transId}"\|"%{GREEDYDATA:req}\: %{GREEDYDATA:reqId}"\|"%{IP:ip}"\|"%{GREEDYDATA:path}\=%{GREEDYDATA:codF}"\|"%{DATA:httpver}"\|"%{DATA:app}"\|"%{WORD:verb}"\|"%{GREEDYDATA:gw}\: %{GREEDYDATA:gw_status}"\|"%{GREEDYDATA:be}\: %{GREEDYDATA:be_status}"\|"%{DATA:unknown}"\|"%{DATA:postman}"\|"%{DATA:link}"\|"%{GREEDYDATA:tok}\: %{GREEDYDATA:token}"

When i configure logstash 8.5.1 with this filter:

filter {
  grok {
    match => { "message" => "%{TIMESTAMP_ISO8601:timestamp}"\|"%{DATA:tz}"\|"%{GREEDYDATA:trans}\: %{GREEDYDATA:transId}"\|"%{GREEDYDATA:req}\: %{GREEDYDATA:reqId}"\|"%{IP:ip}"\|"%{GREEDYDATA:path}\=%{GREEDYDATA:codF}"\|"%{DATA:httpver}"\|"%{DATA:app}"\|"%{WORD:verb}"\|"%{GREEDYDATA:gw}\: %{GREEDYDATA:gw_status}"\|"%{GREEDYDATA:be}\: %{GREEDYDATA:be_status}"\|"%{DATA:unknown}"\|"%{DATA:postman}"\|"%{DATA:link}"\|"%{GREEDYDATA:tok}\: %{GREEDYDATA:token}" }
    add_field => [ "grok_state", "match" ]
  }
}

I get this error:

Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of [ \t\r\n], "#", "{", "}" at line 10, column 61 (byte 158) after filter {\n grok {\n match => { "message" => "%{TIMESTAMP_ISO8601:timestamp}"", :backtrace=>["/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:32:in compile_imperative'", "org/logstash/execution/AbstractPipelineExt.java:182:in initialize'", "org/logstash/execution/JavaBasePipelineExt.java:72:in initialize'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:48:in initialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline_action/create.rb:50:in execute'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:386:in block in converge_state'"]}

Example of log:

"2022-11-28 09:14:59:514"|"+0100"|"transId: xxx"|"reqId: xxx"|"1.1.1.1"|"/path/codF=xxxxxxxxxxx"|"HTTP/1.1"|"SAP"|"GET"|"gateway status: 200"|"backend status: 200"|""|"Runtime/7.29.2"|"client"|"token: xxxx-xxxx-xxxx"

I tried to escape the " but have same error, any ideas?

Thanks

stefanocog · December 2, 2022, 10:47am

I solved, the entire block of the pattern must be enclosed in double quotes and double quotes escaped within the pattern:

filter {
  grok {
    match => { "message" => "\"%{TIMESTAMP_ISO8601:timestamp}\"\|\"%{DATA:tz}\"\|\"%{GREEDYDATA:trans}\: %{GREEDYDATA:transId}\"\|\"%{GREEDYDATA:req}\: %{GREEDYDATA:reqId}\"\|\"%{IP:ip}\"\|\"%{GREEDYDATA:path}\=%{GREEDYDATA:codF}\"\|\"%{DATA:httpver}\"\|\"%{DATA:app}\"\|\"%{WORD:verb}\"\|\"%{GREEDYDATA:gw}\: %{GREEDYDATA:gw_status}\"\|\"%{GREEDYDATA:be}\: %{GREEDYDATA:be_status}\"\|\"%{DATA:unknown}\"\|\"%{DATA:postman}\"\|\"%{DATA:link}\"\|\"%{GREEDYDATA:tok}\: %{GREEDYDATA:token}\"" }
    add_field => [ "grok_state", "match" ]
  }
}

Thanks all

system · December 30, 2022, 10:48am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.