Logstash error. Expected symbols

Hello, I am new at logstash, so please could you help me.
I have this log:
2021-01-27 00:20:10 GET /ads/servlet/dbRequest?BNumber=353&ANumber=485739274 200 0.013
There are tabs between "date", "time", "GET" and "/ads"

My filte is:
filter {
grok { match => {"message" => "(?%{YEAR}-%{MONTHNUM}-%{MONTHDAY})\t(?%{HOUR}:%{MINUTE}:%{SECOND})\t%{WORD:method}"
}
}
if “_grokparsefailure” in [tags]
{
drop {}
}
}

Why when I am trying to start logstash it gives this failure?

lineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of [ \t\r\n], "#", "(", "!", '"', \0-9], "[", [A-Za-z_], '/', "{" at line 11, column 4 (byte 274) after filter { \ngrok { match => {"message" => "(?%{YEAR}\-%{MONTHNUM}\-%{MONTHDAY})\t(?%{HOUR}\:%{MINUTE}\:%{SECOND})\t%{WORD:method}"}}\nif "", :backtrace=>["/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:32:incompile_imperative'", "org/logstash/execution/AbstractPipelineExt.java:184:in initialize'", "org/logstash/execution/JavaBasePipelineExt.java:69:in `in

image1616×465 75.5 KB

But when I am trying in https://grokdebug.herokuapp.com/ it works

image1330×706 23.9 KB

The below example might work better for you.

Pattern

%{TIMESTAMP_ISO8601:timestamp} %{DATA:method} %{GREEDYDATA:path}

Returns

{
          "path" => "/ads/servlet/dbRequest?BNumber=353&ANumber=485739274 200 0.013",
     "timestamp" => "2021-01-27 00:20:10",
        "method" => "GET"
}

Those appear to be curly quotes rather than straight double quotes: ". logstash only accepts the latter.

Thank you, now I see thish logs and index pattern does not creates.

image1631×409 31.7 KB

May be it because there are tabs between "date", "time", "GET" and "/ads"?
I put logs in Word and see this:

image1205×235 3.92 KB

my conf file:

image1387×628 10.8 KB

Thank you.

I solved this problem using [\t]

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.