Logstash Syntax Error

Kernel_Panic · November 11, 2016, 7:22pm

Hi there guys,
Can you help me with this issue?

output {
  if [@metadata][beat] {
    elasticsearch {
      hosts => ["server"]
      sniffing => true
      manage_template => false
      index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
      document_type => "%{[@metadata][type]}"
    }
  } else if {
    elasticsearch {
      hosts => ["server"]
      sniffing => true
      manage_template => false
      index => "collectd-%{+YYYY.MM.dd}"
      document_type => "collectd"
    }
  }
   else {
    elasticsearch {
      hosts => ["server"]
      sniffing => true
      manage_template => false
      index => "sensu-%{+YYYY.MM.dd}"
      document_type => "sensu"
    }
  }
}

Configtest complains with the following:

Error: Expected one of #, (, !, ", ', -, [, / at line 59, column 13 (byte 1306) after output {
  if [@metadata][beat] {
    elasticsearch {
      hosts => ["server"]
      sniffing => true
      manage_template => false
      index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
      document_type => "%{[@metadata][type]}"
    }
  } else if  {:level=>:error}

What's wrong with it?
Thanks
Regards

magnusbaeck · November 12, 2016, 4:20pm

Your else if is missing a condition; there must be a logical expression after if.

Kernel_Panic · November 13, 2016, 1:00am

Ok, and what happens if I split the output configuration to include only the sensu stuff? Can I do that? if I've got a file named 30-output.conf, should I named it 31-output-sensu.conf for example? is that order or naming convention important?

Thanks
Regards

magnusbaeck · November 13, 2016, 2:58pm

Ok, and what happens if I split the output configuration to include only the sensu stuff? Can I do that?

I'm not sure what you mean.

if I've got a file named 30-output.conf, should I named it 31-output-sensu.conf for example? is that order or naming convention important?

No, not for outputs. All events are sent to all outputs unless put under a condition.

Kernel_Panic · November 13, 2016, 3:48pm

Hi

What I mean is to have an output config file for every condition instead of having a big one output.conf file which holds all condition.. let say , one file name for example 30-output-sensu.conf 31-output-beat.conf 32-output-other-stuff.conf

One config file for document_type => "sensu" another for document_type => "beat" another for document_type => "syslog-or-whatever-I-want"

Thank you very much for your time and support
Regards

magnusbaeck · November 13, 2016, 5:11pm

You can certainly do as you describe if your prefer. Logstash doesn't care if you split your output blocks or keep them in a single file.

Kernel_Panic · November 13, 2016, 5:28pm

Thank you very much Magnus, very kind of you.
Regards

system · December 11, 2016, 5:28pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.