Hi,
I am new to ELK and trying to parse a specific keyword from message of the log entry and if that matches, creating a separate index in elasticsearch. My output config is like below
output {
if "ALARM" in [logmsg] {
elasticsearch {
hosts => ["localhost:9200"]
index => "alarm"
}
else
{
elasticsearch {
hosts => ["localhost:9200"]
index => "%{+YYYY.MM.dd}"
}
}
}
I got the above logic from Filter specific Message with logstash before sending to ElasticSearch but it is not working. Is there any syntax error on this? Can you please help it?
Error log from logstash :
[2017-05-19T13:17:20,684][ERROR][logstash.agent ] Cannot create pipeline {:reason=>"Expected one of #, => at line 33, column 16 (byte 589) after output {\n \n if "ALARM" in [logmsg] {\n elasticsearch {\n hosts => ["localhost:9200"]\n index => "alarm"\n }\n else\n{\n\n elasticsearch ", :backtrace=>["/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:50:in initialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:145:ininitialize'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:286:in create_pipeline'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:95:inregister_pipeline'", "/usr/share/logstash/logstash-core/lib/logstash/runner.rb:274:in execute'", "/usr/share/logstash/vendor/bundle/jruby/1.9/gems/clamp-0.6.5/lib/clamp/command.rb:67:inrun'", "/usr/share/logstash/logstash-core/lib/logstash/runner.rb:185:in run'", "/usr/share/logstash/vendor/bundle/jruby/1.9/gems/clamp-0.6.5/lib/clamp/command.rb:132:inrun'", "/usr/share/logstash/lib/bootstrap/environment.rb:71:in `(root)'"]}
Thanks in advance
