Ruby filter "LogStash::ConfigurationError"

dishma237 · February 6, 2020, 1:16pm

Hi Guys, got a config setup as below to receive snmp walks result and I a script to clean the data.
However it fails to run because of an error on the ruby filter. I have tried my script on the output on irb and the script runs fin. Below is just a basic part of the script. Any idea what I could be doing wrong?

input {
    snmp{
        walk =>["1.3.6.1.4.1.32278.1.2.3"]
        hosts => [{XXXX}]
    }
}
filter {
    ruby {
     code => "
        event.to_hash.map do |k,v|
              newkey = k.to_s.gsub!("iso.org.dod.internet.private.enterprises.32278.1.2.3.","")
              event.set(newkey,v)
              event.remove(k)
            end
        "
    }
}
output {
        stdout { codec => rubydebug}
        elasticsearch
        {
            hosts => ["172.16.248.66:9200"]
            index => "snmp_walk"
        }
}

Badger · February 6, 2020, 5:16pm

What is the error?

dishma237 · February 6, 2020, 5:37pm

Error is

Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of #, {, } at line 12, column 38 (byte 316) after filter {\r\n ruby {\r\n code => "\r\n

Badger · February 6, 2020, 6:04pm

You are using double quotes in your gsub, I suggest you use single quotes to surround the code. Does the error change if you do that?

dishma237 · February 6, 2020, 6:42pm

Yes you are right the double quotes are a problem. I now get the a different error. But I believe is now is about how I handle the output of the walk. without filter I will normally get below result stored.

      "iso.org.dod.internet.private.enterprises.32278.1.2.3.22.4.0": "OK",
      "iso.org.dod.internet.private.enterprises.32278.1.2.3.4.2.0": 0,
      "iso.org.dod.internet.private.enterprises.32278.1.2.3.4.5.0": 2,
      "iso.org.dod.internet.private.enterprises.32278.1.2.3.3.3.0": 0,
      "iso.org.dod.internet.private.enterprises.32278.1.2.3.26.4.0": "",
      "iso.org.dod.internet.private.enterprises.32278.1.2.3.25.4.0": "",
      "iso.org.dod.internet.private.enterprises.32278.1.2.3.28.5.0": 1,
      "iso.org.dod.internet.private.enterprises.32278.1.2.3.21.4.0": "Off Battery",
      "iso.org.dod.internet.private.enterprises.32278.1.2.3.8.2.0": 0,
      "iso.org.dod.internet.private.enterprises.32278.1.2.3.30.5.0": 2,
      "iso.org.dod.internet.private.enterprises.32278.1.2.3.13.3.0": 0,
      "iso.org.dod.internet.private.enterprises.32278.1.2.3.16.4.0": "Stopped",
      "iso.org.dod.internet.private.enterprises.32278.1.2.3.22.3.0": 0,

What does the "event" refers to generally? I saw that's what been used in most examples

Badger · February 6, 2020, 7:34pm

You should use gsub, not gsub!. For fields like host using gsub! will result in you trying to event.set(nil, ...), which is not what you want.

What an event contains depends on the input. For a file input it is by default one line of a file. For an snmp input which is walking a MIB it is all of the objects that were returned when the input polled the target.

dishma237 · February 7, 2020, 4:19am

Thanks a lot Badger. Couldn't have been explained any better

system · March 6, 2020, 4:22am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.