Logstash giving error at IF statement whereas syntax is correct as per documentation (Trying to fetch response time of API)

rajdeep101 · September 3, 2019, 6:59am

Hi all,
I am trying to setup a log management system. I wanted to get response time in a single event hence i used aggregation. But this config is giving me error at the first If statement
i am pretty sure other errors would come to if its even passes this one.
as

Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of #, => at line 14, column 12 (byte 332) after filter {\n grok {\n match => { "message" => "\[%{TIMESTAMP_ISO8601:timestamp}] - (Status | Time):%{WORD:transaction}, Req ID:%{GREEDYDATA:tid}, User:%{GREEDYDATA:user}"}\n }\n\n filter {\n if ",

Any help would be greatly appreciated.

input {
        file {
            path => "/home/rajdeep/Desktop/nd"
            start_position => "beginning"
    }
}

filter {
     grok {
        match => { "message" => "\[%{TIMESTAMP_ISO8601:timestamp}] - (Status | Time):%{WORD:transaction}, Req ID:%{GREEDYDATA:tid}, User:%{GREEDYDATA:user}"}
    }

    filter {
        if [message] =~ "Status" {
            grok {
                    match => { "message" => "\[%{TIMESTAMP_ISO8601:timestamp}] - (Status | Time):%{WORD:transaction}, Req ID:%{GREEDYDATA:tid}, User:%{GREEDYDATA:user}"}
            }
            aggregate {
                task_id => "%{tid}"
                code => "
                map['user'] = event.get('user')
                map['timestamp'] = event.get('timestamp')
                "
                map_action => "create"
            }
            drop{}
        }
        if [message] =~ "Time" {
            grok {
                match => { "message" => "\[%{TIMESTAMP_ISO8601:timestamp}] - (Status | Time):%{WORD:transaction}, Req ID:%{GREEDYDATA:tid}, User:%{GREEDYDATA:user}"}
                remove_field => ["message"]
            }
            aggregate {
                task_id => "%{tid}"
                code => "
                event.set('user', map['user'])
                event.set('request-time', map['timestamp'])
                event.set('time', 'full')
                "
                map_action => "update"
                end_of_task => true
                push_map_as_event_on_timeout => true
                timeout => 120
                timeout_task_id_field => "tid"
                timeout_code => "
                event.set('response', 'Response-timeout')
                event.set('type', 'request-response')
                event.set('transaction', 'request')
  "
            }
            ruby {
                init => "require 'time'"
                code => "duration = (DateTime.parse(event.get('response-time')).to_time.to_f*1000 -
                                    DateTime.parse(event.get('request-time')).to_time.to_f*1000)
                                    rescue nil; event.set('service-time', duration); "

            }
        }
    }
}

Output is configured to stdout and elastic search.

guyboertje · September 3, 2019, 12:44pm

Two filter blocks.

rajdeep101 · September 3, 2019, 1:26pm

Hi
Thank you for taking time out. Could you please guide me on how to use greedydata when i have 3-4 different types of log lines in a single file and what i have learned from grok debugger is that the grok pattern should match pattern by pattern to the log file. For example if i have timestamp in the beginning of a log file i will have to use pattern for timestamp in the beginning itself and i cannot use it elsewhere in my grok pattern, which makes it harder to use single filter for different log lines.
sample log lines

INFO 2019-08-29 09:50:20,681 [User App Mixins]Req ID: 1018 Request URL: /api/v1/userapp/booking/bookingParameters/, Method: POST
INFO 2019-08-29 09:50:20,681 [User App Mixins]Req ID: 1018 Request Query Params: <QueryDict: {}>
INFO 2019-08-29 09:50:20,682 [User App Mixins]Req ID: 1018 Request Data: {u'category_id': 461, u'name': u'RBS OIBP'}
INFO 2019-08-29 09:50:20,682 [User App Mixins]Req ID: 1018 Logged In User- 14351 - Sabarigiri Jayaraman, Android User, URL: /api/v1/userapp/booking/bookingParameters/
INFO 2019-08-29 09:50:20,718 [User App Mixins]Req ID: 1018 URL: /api/v1/userapp/booking/bookingParameters/, User: 14351 - Sabarigiri Jayaraman, Resp Status: 200
INFO 2019-08-29 09:50:20,718 [User App Mixins]Req ID: 1018 URL: /api/v1/userapp/booking/bookingParameters/, User: 14351 - Sabarigiri Jayaraman, Resp Time: 0.048
INFO 2019-08-29 09:50:22,543 [User App Mixins]Req ID: 1060 Request URL: /api/v1/userapp/booking/bookingParameters/, Method: POST
INFO 2019-08-29 09:50:22,544 [User App Mixins]Req ID: 1060 Request Query Params: <QueryDict: {}>
INFO 2019-08-29 09:50:22,544 [User App Mixins]Req ID: 1060 Request Data: {u'category_id': 357, u'name': u'RBS 7B'}

system · October 1, 2019, 1:26pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Aggregate Logstash	3	313	August 6, 2019
Logstash GROK If statement Logstash	2	4993	August 16, 2017
New to logstash need help with config Logstash	12	452	October 3, 2019
Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of #, => at line 6, Logstash	4	3743	May 16, 2019
GROK filter throws ERROR Logstash	25	2643	September 6, 2018

Logstash giving error at IF statement whereas syntax is correct as per documentation (Trying to fetch response time of API)

Related topics