Pipeline Code Issue

Tony_Chirillo · September 3, 2019, 6:54pm

Hello,

I have some trouble with my Logstash Pipeline code.

I just added the following to my pipeline filter section:

if [beat][hostname] == ”qa-exchg16” {
  mutate {
    replace => { "[fields][app_id]" => "exchangeqa" }
  }
}

After I added this code, this error is repeated in the Logstash log.

[2019-09-03T13:47:34,052][ERROR][logstash.agent ] Failed to execute action {:id=>:"winlogbeat-dc", :action_type=>LogStash::ConvergeResult::FailedAction, :message=>"Expected one of #, ", ', -, [, / at line 13, column 26 (byte 166) after filter {\n \n if [beat][hostname] == ", :backtrace=>["/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:41:in compile_imperative'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:49:incompile_graph'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:11:in block in compile_sources'", "org/jruby/RubyArray.java:2577:inmap'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:10:in compile_sources'", "org/logstash/execution/AbstractPipelineExt.java:151:ininitialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:22:in initialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline_action/reload.rb:43:inblock in execute'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:96:in block in exclusive'", "org/jruby/ext/thread/Mutex.java:165:insynchronize'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:96:in exclusive'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline_action/reload.rb:39:inexecute'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:334:in `block in converge_state'"]}

Any thoughts on what my issue might be?

Here is my whole filter section:

filter {

  if [beat][hostname] == ”qa-exchg16” {
    mutate {
      replace => { "[fields][app_id]" => "exchangeqa" }
    }
  }


  if [event_id] == 4672 and [event_data][SubjectUserName] =~ /^EX(1|2)-.*\$$/ {
    drop {}
  }

  if [event_id] == 4624 or [event_id] == 4625 or [event_id] == 4648 or [event_id] == 4688 {
    truncate {
      id => "truncate_long"
      fields => "message"
      length_bytes => 200
    }
  }

  if ![fields][campus] {
      mutate { add_field => { "[fields][campus]" => "unk" } }
  }

  if ![fields][app_id] {
      mutate { add_field => { "[fields][app_id]" => "none" } }
  }

  mutate { add_tag => [ "pipeline_winlogbeat-dc"] }
}

Badger · September 3, 2019, 7:21pm

Those are curly quotes. Use regular double quotes.

Tony_Chirillo · September 4, 2019, 7:47pm

Thanks Badger - I got owned by copy & paste!

system · October 2, 2019, 7:47pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.