My logstash running sometime have [Regexp Interrupted] exception then it's dead

Logstash Version 5.6.4
Elasticsearch Version 5.6.4

Logstash Config
filter{

if "beats_input_codec_plain_applied" in [tags] {
mutate {
remove_tag => ["beats_input_codec_plain_applied"]
}
}
if "_geoip_lookup_failure" in [tags] {
drop { }
}

if "_grokparsefailure" in [tags] {
drop { }
}
if [xclientip] == "-" {
mutate{
replace => { "xclientip" => "0.0.0.0" }
}
}
if [type] in [ "aa", "bb" ] {

grok{
patterns_dir => ["/usr/local/logstash/patterns"]
match => [ "message", "%{COMBINEDAPACHELOG2}", "message", "%{COMBINEDAPACHELOG}" ]
}
geoip{
source => "xclientip"
target => "geoip"
database => "/usr/local/logstash/GeoIP/GeoLite2-City.mmdb"
add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
}
mutate{
convert => [ "[geoip][coordinates]", "float", "bytes", "integer", "elapsedmillis", "integer" ]
}
date {
match => [ "timestamp", "dd/MMM/yyyy:HH:mm:ss Z" , "ISO8601" ]
target => "@timestamp"

}
mutate {
add_field => { "path" => "%{request}" }
}
mutate {
gsub => [ "path", "?.*", "" ]
}
mutate {
remove_field => [ "message", "source" ]
}

}
}

My logstah log:

[FATAL][logstash.runner ] An unexpected error occurred! {:error=>#<InterruptedRegexpError: Regexp Interrupted>, :backtrace=>["org/jruby/RubyString.java:3101:in gsub'", "org/jruby/RubyString.java:3069:ingsub'", "/usr/local/logstash/vendor/bundle/jruby/1.9/gems/logstash-filter-mutate-3.2.0/lib/logstash/filters/mutate.rb:336:in gsub_dynamic_fields'", "/usr/local/logstash/vendor/bundle/jruby/1.9/gems/logstash-filter-mutate-3.2.0/lib/logstash/filters/mutate.rb:327:ingsub'", "org/jruby/RubyArray.java:1613:in each'", "/usr/local/logstash/vendor/bundle/jruby/1.9/gems/logstash-filter-mutate-3.2.0/lib/logstash/filters/mutate.rb:309:ingsub'", "/usr/local/logstash/vendor/bundle/jruby/1.9/gems/logstash-filter-mutate-3.2.0/lib/logstash/filters/mutate.rb:223:in filter'", "/usr/local/logstash/logstash-core/lib/logstash/filters/base.rb:145:indo_filter'", "/usr/local/logstash/logstash-core/lib/logstash/filters/base.rb:164:in multi_filter'", "org/jruby/RubyArray.java:1613:ineach'", "/usr/local/logstash/logstash-core/lib/logstash/filters/base.rb:161:in multi_filter'", "/usr/local/logstash/logstash-core/lib/logstash/filter_delegator.rb:46:inmulti_filter'", "(eval):583:in initialize'", "org/jruby/RubyArray.java:1613:ineach'", "(eval):575:in initialize'", "org/jruby/RubyProc.java:281:incall'", "(eval):338:in filter_func'", "/usr/local/logstash/logstash-core/lib/logstash/pipeline.rb:398:infilter_batch'", "/usr/local/logstash/logstash-core/lib/logstash/pipeline.rb:379:in worker_loop'", "/usr/local/logstash/logstash-core/lib/logstash/pipeline.rb:342:instart_workers'"]}

InterruptedRegexpError: Regexp Interrupted

It looks like your gsub is taking too long to execute.

gsub => [ "path", "?.*", "" ]

What on earth is this supposed to accomplish?

That means reauest content is like /example/API/getIsCookieExist.jsp?txtTime=1514855035170 then request field copy new field (path).

path content after the ? to replace the blank.
Content be like /example/API/getIsCookieExist.jsp

Oh, so your regexp is actually \?.*. Always post configuration as preformatted text so e.g. backslashes aren't stripped away.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.