Logstash stops with error: can't convert Array into String

Logstast stops in few minutes with following error:

Sudo -u logstash /opt/logstash/bin/logstash -f /etc/logstash/conf.d/
    slack plugin is using the 'milestone' method to declare the version of the plugin this method is deprecated in favor of declaring the version inside the gemspec. {:level=>:warn}
    Settings: Default pipeline workers: 2
    Defaulting pipeline worker threads to 1 because there are some filters that might not work with multiple worker threads {:count_was=>2, :filters=>["multiline"], :level=>:warn}
    Logstash startup completed


 Exception in pipelineworker, the pipeline stopped processing new events, please check your filter configuration and restart Logstash. {"exception"=>#<TypeError: can't convert Array into String>, "backtrace"=>["org/jruby/RubyString.java:4462:in `include?'", "(eval):226:in `cond_func_6'", "org/jruby/RubyArray.jav`each'", "(eval):224:in `cond_func_6'", "(eval):241:in `cond_func_5'","org/jruby/RubyArray.java:1613:in `each'", "(eval):238:in `cond_func_5'", "(eval):147:in `filter_func'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.2.4-java/lib/logstash/pipeline.rb:259:in `filter_batch'", "org/jruby/RubyArray.java:1613:in `each'","org/jruby/RubyEnumerable.java:852:in `inject'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.2.4-java/lib/logstash/pipeline.rb:257:in `filter_batch'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.2.4-java/lib/logstash/pipeline.rb:215:in `worker_loop'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.2.4-java/lib/logstash/pipeline.rb:193:in `start_workers'"], :level=>:error}
TypeError: can't convert Array into String
       include? at org/jruby/RubyString.java:4462
    cond_func_6 at (eval):226
           each at org/jruby/RubyArray.java:1613
    cond_func_6 at (eval):224
    cond_func_5 at (eval):241
           each at org/jruby/RubyArray.java:1613
    cond_func_5 at (eval):238
    filter_func at (eval):147
   filter_batch at /opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.2.                                                                                        4-java/lib/logstash/pipeline.rb:259
           each at org/jruby/RubyArray.java:1613
         inject at org/jruby/RubyEnumerable.java:852
   filter_batch at /opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.2.                                                                                        4-java/lib/logstash/pipeline.rb:257
    worker_loop at /opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.2.                                                                                        4-java/lib/logstash/pipeline.rb:215
  start_workers at /opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.2.                                                                                        4-java/lib/logstash/pipeline.rb:193

My Filter is here:

filter {
    multiline {
        pattern => "^%{TIMESTAMP_ISO8601}"
        negate => true
        what => previous
    }

    grok {
        match => ["message", "%{TIMESTAMP_ISO8601} Thread:'(?<thread>[^']+)' Level:'%{LOGLEVEL:log-level}' Message:%{GREEDYDATA:information}"]
        tag_on_failure => ["error_message_not_parsed"]
        remove_field => ["message"]
        break_on_match => false
    }

   if [type] == "SomeServer1-Prod" or [type] == "SomeServer1-Dev"  or [type] == "SomeServer2-Dev" or [type] == "SomeServer2-Prod"
    {

        if ["ERROR", "error"] in  [log-level]
         {
          mutate
           {
            add_tag => ["alert"]
           }
         }
    }
}

Can you please copy/paste the whole lines from the log? Some of the lines are truncated.

Do not use the multiline filter as it has been deprecated. Instead use the multiline codec plugin.

:message=>"Exception in pipelineworker, the pipeline stopped processing new events, please check your filter configuration and restart Logstash.", "exception"=>#<TypeError: can't convert Array into String>, "backtrace"=>["org/jruby/RubyString.java:4462:ininclude?'", "(eval):226:in cond_func_6'", "org/jruby/RubyArray.java:1613:ineach'", "(eval):224:in cond_func_6'", "(eval):241:incond_func_5'", "org/jruby/RubyArray.java:1613:in each'", "(eval):238:incond_func_5'", "(eval):147:in filter_func'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.2.4-java/lib/logstash/pipeline.rb:259:infilter_batch'", "org/jruby/RubyArray.java:1613:in each'", "org/jruby/RubyEnumerable.java:852:ininject'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.2.4-java/lib/logstash/pipeline.rb:257:in filter_batch'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.2.4-java/lib/logstash/pipeline.rb:215:inworker_loop'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.2.4-java/lib/logstash/pipeline.rb:193:in start_workers'"], :level=>:error}

I Disabled the multiline filter and it stopped shuttingdown with the above error. Now it stops on the below filter:
Specifically on the if statement.
If there is a log generated from "SomeServer1-Prod" with log-level "ERROR"

filter {
    grok {
        match => ["message", "%{TIMESTAMP_ISO8601} Thread:'(?<thread>[^']+)' Level:'%{LOGLEVEL:log-level}' Message:%{GREEDYDATA:information}"]
        tag_on_failure => ["error_message_not_parsed"]
        remove_field => ["message"]
        break_on_match => false
    }

   if [type] == "SomeServer1-Prod" or [type] == "SomeServer1-Dev"  or [type] == "SomeServer2-Dev" or [type] == "SomeServer2-Prod"
    {

        if ["ERROR", "error"] in  [log-level]
         {
          mutate
           {
            add_tag => ["alert"]
           }
         }
    }
}

Error is here:

> Exception in pipelineworker, the pipeline stopped processing new events, please check your filter configuration and restart Logstash. {"exception"=>#<TypeError: can't convert Array into String>, "backtrace"=>["org/jruby/RubyString.java:4462:in `include?'", "(eval):170:in `cond_func_4'", "org/jruby/RubyArray.java:1613:in `each'", "(eval):168:in `cond_func_4'", "(eval):185:in `cond_func_3'", "org/jruby/RubyArray.java:1613:in `each'", "(eval):182:in `cond_func_3'", "(eval):119:in `filter_func'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.2.4-java/lib/logstash/pipeline.rb:259:in `filter_batch'", "org/jruby/RubyArray.java:1613:in `each'", "org/jruby/RubyEnumerable.java:852:in `inject'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.2.4-java/lib/logstash/pipeline.rb:257:in `filter_batch'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.2.4-java/lib/logstash/pipeline.rb:215:in `worker_loop'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.2.4-java/lib/logstash/pipeline.rb:193:in `start_workers'"], :level=>:error}
>     TypeError: can't convert Array into String
>            include? at org/jruby/RubyString.java:4462
>         cond_func_4 at (eval):170
>                each at org/jruby/RubyArray.java:1613
>         cond_func_4 at (eval):168
>         cond_func_3 at (eval):185
>                each at org/jruby/RubyArray.java:1613
>         cond_func_3 at (eval):182
>         filter_func at (eval):119
>        filter_batch at /opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.2.4-java/lib/logstash/pipeline.rb:259
>                    each at org/jruby/RubyArray.java:1613
>                  inject at org/jruby/RubyEnumerable.java:852
>            filter_batch at /opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.2.4-java/lib/logstash/pipeline.rb:257
>             worker_loop at /opt/logPreformatted textstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.2.4-java/lib/logstash/pipeline.rb:215
>           start_workers at /opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.2.4-java/lib/logstash/pipeline.rb:193

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.