Logstash Failed to excute action

Hi,

i am running ELK on docker. Every container is running and up. Exept logstash.

0dbb793596af        dockerelk_elasticsearch                "/usr/local/bin/dock…"   28 hours ago        Up About an hour               9200/tcp, 0.0.0.0:32878->9300/tcp                dockerelk_elasticsearch_3
0316ceb64a6a        dockerelk_elasticsearch                "/usr/local/bin/dock…"   28 hours ago        Up About an hour               9200/tcp, 0.0.0.0:32879->9300/tcp                dockerelk_elasticsearch_2
3babe70d6fc6        dockerelk_elasticsearch-master         "/usr/local/bin/dock…"   28 hours ago        Up About an hour               9200/tcp, 0.0.0.0:32876->9300/tcp                dockerelk_elasticsearch-master_2
196ff0ef0979        dockerelk_kibana                       "/bin/bash /usr/loca…"   28 hours ago        Up About an hour               0.0.0.0:5601->5601/tcp                           dockerelk_kibana_1
6a47d0015dc8        dockerelk_logstash                     "/usr/local/bin/dock…"   28 hours ago        Exited (1) About an hour ago                                                    dockerelk_logstash_1
ad939a173cb4        dockerelk_elasticsearch-master         "/usr/local/bin/dock…"   28 hours ago        Up About an hour               9200/tcp, 0.0.0.0:32877->9300/tcp                dockerelk_elasticsearch-master_1
62f6bda2466b        dockerelk_elasticsearch                "/usr/local/bin/dock…"   28 hours ago        Up About an hour               9200/tcp, 0.0.0.0:32875->9300/tcp                dockerelk_elasticsearch_1
241f31f32057        dockerelk_elasticsearch-coordinating   "/usr/local/bin/dock…"   28 hours ago        Up About an hour               0.0.0.0:9200->9200/tcp, 0.0.0.0:9300->9300/tcp   elasticsearch-coordinating

The config from logstash is:

input {
        tcp {
                port => 5000
        }
}

output {
        elasticsearch {
                hosts => "elasticsearch-coordinating:9200"
                manage_template => false
                index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
                document_type => "%{[@metadata][type]}"
        }
}

I have to admit that there is no beat installed until now, but the index should have been created in elasticsearch, right?

The Logs from the logstash container are the following:

[2018-03-13T13:04:51,149][INFO ][logstash.agent           ] Successfully started Logstash API endpoint {:port=>9600}
Sending Logstash's logs to /usr/share/logstash/logs which is now configured via log4j2.properties
[2018-03-13T13:10:29,540][INFO ][logstash.modules.scaffold] Initializing module {:module_name=>"netflow", :directory=>"/usr/share/logstash/modules/netflow/configuration"}
[2018-03-13T13:10:29,649][INFO ][logstash.modules.scaffold] Initializing module {:module_name=>"fb_apache", :directory=>"/usr/share/logstash/modules/fb_apache/configuration"}
[2018-03-13T13:10:34,558][WARN ][logstash.config.source.multilocal] Ignoring the 'pipelines.yml' file because modules or command line options are specified
[2018-03-13T13:10:40,759][INFO ][logstash.runner          ] Starting Logstash {"logstash.version"=>"6.2.2"}
[2018-03-13T13:10:46,890][INFO ][logstash.agent           ] Successfully started Logstash API endpoint {:port=>9600}
[2018-03-13T13:10:47,136][ERROR][logstash.agent           ] Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of #, input, filter, output at line 18, column 1 (byte 293) after ", :backtrace=>["/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:42:in `compile_imperative'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:50:in `compile_graph'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:12:in `block in compile_sources'", "org/jruby/RubyArray.java:2486:in `map'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:11:in `compile_sources'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:51:in `initialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:169:in `initialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline_action/create.rb:40:in `execute'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:315:in `block in converge_state'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:141:in `with_pipelines'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:312:in `block in converge_state'", "org/jruby/RubyArray.java:1734:in `each'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:299:in `converge_state'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:166:in `block in converge_state_and_update'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:141:in `with_pipelines'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:164:in `converge_state_and_update'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:90:in `execute'", "/usr/share/logstash/logstash-core/lib/logstash/runner.rb:348:in `block in execute'", "/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/stud-0.0.23/lib/stud/task.rb:24:in `block in initialize'"]}

line 18 colume 1 ist after the last } from the output section.

Does somebody has any idea? I am stuck

you need to add a filter {} between input {} and output {}

you need to add a filter {} between input {} and output {}

No, that's not necessary.

Your configuration file doesn't have 18 lines so how come Logstash is complaining about line 18? Where is your configuration file? Are there other files in that directory?

Hi Magnus,

actually there was. I removed the other file into another directory and it seems to fix the problem.
Thanks, wouldn't have occured to me.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.