Logstash with filter wont start: Failed to execute action

sindred · May 1, 2018, 9:38am

My filter:

input {
  beats {
    port => "5044"
  }
}
filter {
  multiline {
      pattern => "^\s"
      what => "previous"
  }
  dissect {
    mapping => {
      "message" => "%{timestamp} | %{level} | %{subsystem} | %{route} | %{class} | %{message}"
    }
  }
  date {
    match [ "timestamp", "ISO8601" ]
  }
}
output {
  elasticsearch {
    hosts => ["localhost:9200"]
    index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
    document_type => "%{[metadata][type]}"
  }
}

Error:

Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of #, => at line 17, column 11 (byte 272) after filter {\n multiline {\n pattern => \"^\\s\"\n what => \"previous\"\n }\n dissect {\n mapping => {\n \"message\" => \"%{timestamp} | %{level} | %{subsystem} | %{route} | %{class} | %{message}\"\n }\n }\n date {\n match ", :backtrace=>["/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:42:incompile_imperative'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:50:in compile_graph'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:12:inblock in compile_sources'", "org/jruby/RubyArray.java:2486:in map'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:11:incompile_sources'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:51:in initialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:169:ininitialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline_action/create.rb:40:in execute'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:315:inblock in converge_state'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:141:in with_pipelines'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:312:inblock in converge_state'", "org/jruby/RubyArray.java:1734:in each'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:299:inconverge_state'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:166:in block in converge_state_and_update'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:141:inwith_pipelines'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:164:in converge_state_and_update'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:90:inexecute'", "/usr/share/logstash/logstash-core/lib/logstash/runner.rb:348:in block in execute'", "/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/stud-0.0.23/lib/stud/task.rb:24:inblock in initialize'"]}`

Example log file: https://pastebin.com/c5JNw69q

Christian_Dahlqvist · May 1, 2018, 9:49am

You should not use the multiline filter as this has been deprecated. Best practice is to always perform multiline processing as close to the source as possible. As it looks like you are using Filebeat,that is where you should be doing it.

The error message is however due to the fact that the date filter is not correct as you are missing =>.

sindred · May 1, 2018, 2:26pm

Super, thank you!

How should my split line look like ?
This did not work as i wanted it to:

  ### Multiline options
  multiline.pattern: ^\s
  multiline.negate: true
  multiline.match: after

Example log: https://pastebin.com/NnThSGd7

The messages always is formatted like this:
%{timestamp} | %{level} | %{subsystem} | %{route} | %{class} | %{message}

system · May 29, 2018, 2:26pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.