Pipeline aborted due to error {:pipeline_id=>"main", :exception=>#<RegexpError: empty char-class: /(?:Duplicate TCP SYN|Failed to locate egress interface|Invalid transport field|No matching connection|DNS Response|DNS Query

[ERROR] 2019-07-24 10:52:19.002 [[main]-pipeline-manager] javapipeline - Pipeline aborted due to error {:pipeline_id=>"main", :exception=>#<RegexpError: empty char-class: /(?:Duplicate TCP SYN|Failed to locate egress interface|Invalid transport field|No matching connection|DNS Response|DNS Query|(?:(?:\b\w+\b)\s*)*):(?:(?:(?:(?:(?:[0-5]?[0-9]|60)(?:[:.,][0-9]+)?))|60)),436 | INFO | 970074601-765686 | (?:(?:[a-zA-Z0-9-]+.)+[A-Za-z0-9$]+) 276 | 38 - (?:(?:[a-zA-Z0-9-]+.)+[A-Za-z0-9$]+)-core - (?:(?:[a-zA-Z0-9-]+.)+[A-Za-z0-9$]+) | Inbound Message

ID: 714128
Response-Code: 200
Encoding: (?:[A-Z0-9]+-(?:(?:[+-]?(?:[0-9]+)))-(?:[A-Z0-9_]+))
Content-Type: application(?:(?:(?:/[A-Za-z0-9$.+!'(){},~:;=@#%&_-])+)(?:(?:?[A-Za-z0-9$.+!'|(){},~@#%&/=:;_?-[]<>]))?)
Headers: {connection=(?:[(?:.?)]+), Content-Length=(?:[(?NUMBER:nagios_epoch(?:(?:(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:.[0-9]+)?)|(?:.[0-9]+))))))]), content-type=(?:[(?:.?)]+), Date=(?:[(?:.?)]+), Keep-Alive=(?:[(?:.?)]+), Server=(?:[(?:.?)]+), X-Powered-By=(?:[(?:.?)]+)}
Payload: {(?:(?:(?>(?<!\)(?>"(?>\.|[^\"]+)+"|""|(?>'(?>\.|[^\']+)+')|''|(?>(?>\\.|[^\\]+)+)|``)))):false,(?:(?:(?>(?<!\\)(?>"(?>\\.|[^\\"]+)+"|""|(?>'(?>\\.|[^\\']+)+')|''|(?>(?>\.|[^\]+)+)|)))):(?:(?:(?>(?<!\\)(?>"(?>\\.|[^\\"]+)+"|""|(?>'(?>\\.|[^\\']+)+')|''|(?>`(?>\\.|[^\\`]+)+`)|)))),(?:(?:(?>(?<!\)(?>"(?>\.|[^\"]+)+"|""|(?>'(?>\.|[^\']+)+')|''|(?>(?>\\.|[^\\]+)+)|``)))):[]} /m>, :backtrace=>["org/jruby/RubyRegexp.java:940:ininitialize'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/jls-grok-0.11.5/lib/grok-pure.rb:127:in compile'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-grok-4.0.4/lib/logstash/filters/grok.rb:281:inblock in register'", "org/jruby/RubyArray.java:1792:in each'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-grok-4.0.4/lib/logstash/filters/grok.rb:275:inblock in register'", "org/jruby/RubyHash.java:1419:in each'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-grok-4.0.4/lib/logstash/filters/grok.rb:270:inregister'", "org/logstash/config/ir/compiler/AbstractFilterDelegatorExt.java:56:in register'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:192:inblock in register_plugins'", "org/jruby/RubyArray.java:1792:in each'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:191:inregister_plugins'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:463:in maybe_setup_out_plugins'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:204:instart_workers'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:146:in run'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:105:inblock in start'"], :thread=>"#<Thread:0x49dff0bf run>"}

[ERROR] 2019-07-24 10:52:19.022 [Converge PipelineAction::Create] agent - Failed to execute action {:id=>:main, :action_type=>LogStash::ConvergeResult::FailedAction, :message=>"Could not execute action: PipelineAction::Create, action_result: false", :backtrace=>nil}

my config file:
input {
beats {
port => "5044"
}
}

filter {
grok {
match => { "message" => "%{CISCO_REASON}:%{ISO8601_SECOND},436 | INFO | 970074601-765686 | %{JAVACLASS} 276 | 38 - %{JAVACLASS}-core - %{JAVACLASS} | Inbound Message

ID: 714128
Response-Code: 200
Encoding: %{CISCOTAG}
Content-Type: application%{URIPATHPARAM}
Headers: {connection=%{SYSLOG5424SD}, Content-Length=%{NAGIOSTIME}, content-type=%{SYSLOG5424SD}, Date=%{SYSLOG5424SD}, Keep-Alive=%{SYSLOG5424SD}, Server=%{SYSLOG5424SD}, X-Powered-By=%{SYSLOG5424SD}}
Payload: {%{QS}:false,%{QS}:%{QS},%{QS}:}
"}
}
}

output {
elasticsearch {
hosts => [ "xxxxx:9200" ]
index => "prod-%{+YYYY.MM.dd}"
}
stdout { codec => rubydebug }
}

my input log file:

17 Jul 2019 00:03:33,436 | INFO | 970074601-765686 | eptor.AbstractLoggingInterceptor 276 | 38 - org.apache.cxf.cxf-core - 3.2.4 | Inbound Message

ID: 714128
Response-Code: 200
Encoding: ISO-8859-1
Content-Type: application/json
Headers: {connection=[Keep-Alive], Content-Length=[178], content-type=[application/json], Date=[Tue, 16 Jul 2019 23:03:27 GMT], Keep-Alive=[timeout=15, max=100], Server=[Apache], X-Powered-By=[PHP/5.4.45]}
Payload: {"success":false,"message":"API memory limit reached

  • /opt/monolith/www/ui/eventBase/model/Events.php</li>
    • Result set too large</li></ul></ul>","data":}

That would typically mean you are trying to match literal square brackets using square brackets without escaping them. To match a string like

Foo: []

You have to use

Foo: \[\]

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.