Logstash giving error at IF statement whereas syntax is correct as per documentation (Trying to fetch response time of API)

rajdeep101 · September 3, 2019, 6:59am

Hi all,
I am trying to setup a log management system. I wanted to get response time in a single event hence i used aggregation. But this config is giving me error at the first If statement
i am pretty sure other errors would come to if its even passes this one.
as

Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of #, => at line 14, column 12 (byte 332) after filter {\n grok {\n match => { "message" => "\[%{TIMESTAMP_ISO8601:timestamp}] - (Status | Time):%{WORD:transaction}, Req ID:%{GREEDYDATA:tid}, User:%{GREEDYDATA:user}"}\n }\n\n filter {\n if ",

Any help would be greatly appreciated.

input {
        file {
            path => "/home/rajdeep/Desktop/nd"
            start_position => "beginning"
    }
}

filter {
     grok {
        match => { "message" => "\[%{TIMESTAMP_ISO8601:timestamp}] - (Status | Time):%{WORD:transaction}, Req ID:%{GREEDYDATA:tid}, User:%{GREEDYDATA:user}"}
    }

    filter {
        if [message] =~ "Status" {
            grok {
                    match => { "message" => "\[%{TIMESTAMP_ISO8601:timestamp}] - (Status | Time):%{WORD:transaction}, Req ID:%{GREEDYDATA:tid}, User:%{GREEDYDATA:user}"}
            }
            aggregate {
                task_id => "%{tid}"
                code => "
                map['user'] = event.get('user')
                map['timestamp'] = event.get('timestamp')
                "
                map_action => "create"
            }
            drop{}
        }
        if [message] =~ "Time" {
            grok {
                match => { "message" => "\[%{TIMESTAMP_ISO8601:timestamp}] - (Status | Time):%{WORD:transaction}, Req ID:%{GREEDYDATA:tid}, User:%{GREEDYDATA:user}"}
                remove_field => ["message"]
            }
            aggregate {
                task_id => "%{tid}"
                code => "
                event.set('user', map['user'])
                event.set('request-time', map['timestamp'])
                event.set('time', 'full')
                "
                map_action => "update"
                end_of_task => true
                push_map_as_event_on_timeout => true
                timeout => 120
                timeout_task_id_field => "tid"
                timeout_code => "
                event.set('response', 'Response-timeout')
                event.set('type', 'request-response')
                event.set('transaction', 'request')
  "
            }
            ruby {
                init => "require 'time'"
                code => "duration = (DateTime.parse(event.get('response-time')).to_time.to_f*1000 -
                                    DateTime.parse(event.get('request-time')).to_time.to_f*1000)
                                    rescue nil; event.set('service-time', duration); "

            }
        }
    }
}

Output is configured to stdout and elastic search.

guyboertje · September 3, 2019, 12:44pm

Two filter blocks.

rajdeep101 · September 3, 2019, 1:26pm

Hi
Thank you for taking time out. Could you please guide me on how to use greedydata when i have 3-4 different types of log lines in a single file and what i have learned from grok debugger is that the grok pattern should match pattern by pattern to the log file. For example if i have timestamp in the beginning of a log file i will have to use pattern for timestamp in the beginning itself and i cannot use it elsewhere in my grok pattern, which makes it harder to use single filter for different log lines.
sample log lines

INFO 2019-08-29 09:50:20,681 [User App Mixins]Req ID: 1018 Request URL: /api/v1/userapp/booking/bookingParameters/, Method: POST
INFO 2019-08-29 09:50:20,681 [User App Mixins]Req ID: 1018 Request Query Params: <QueryDict: {}>
INFO 2019-08-29 09:50:20,682 [User App Mixins]Req ID: 1018 Request Data: {u'category_id': 461, u'name': u'RBS OIBP'}
INFO 2019-08-29 09:50:20,682 [User App Mixins]Req ID: 1018 Logged In User- 14351 - Sabarigiri Jayaraman, Android User, URL: /api/v1/userapp/booking/bookingParameters/
INFO 2019-08-29 09:50:20,718 [User App Mixins]Req ID: 1018 URL: /api/v1/userapp/booking/bookingParameters/, User: 14351 - Sabarigiri Jayaraman, Resp Status: 200
INFO 2019-08-29 09:50:20,718 [User App Mixins]Req ID: 1018 URL: /api/v1/userapp/booking/bookingParameters/, User: 14351 - Sabarigiri Jayaraman, Resp Time: 0.048
INFO 2019-08-29 09:50:22,543 [User App Mixins]Req ID: 1060 Request URL: /api/v1/userapp/booking/bookingParameters/, Method: POST
INFO 2019-08-29 09:50:22,544 [User App Mixins]Req ID: 1060 Request Query Params: <QueryDict: {}>
INFO 2019-08-29 09:50:22,544 [User App Mixins]Req ID: 1060 Request Data: {u'category_id': 357, u'name': u'RBS 7B'}

system · October 1, 2019, 1:26pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.