Ruby filter "LogStash::ConfigurationError"

Elastic Stack Logstash
1

Hi Guys, got a config setup as below to receive snmp walks result and I a script to clean the data.
However it fails to run because of an error on the ruby filter. I have tried my script on the output on irb and the script runs fin. Below is just a basic part of the script. Any idea what I could be doing wrong?

input {
    snmp{
        walk =>["1.3.6.1.4.1.32278.1.2.3"]
        hosts => [{XXXX}]
    }
}
filter {
    ruby {
     code => "
        event.to_hash.map do |k,v|
              newkey = k.to_s.gsub!("iso.org.dod.internet.private.enterprises.32278.1.2.3.","")
              event.set(newkey,v)
              event.remove(k)
            end
        "
    }
}
output {
        stdout { codec => rubydebug}
        elasticsearch
        {
            hosts => ["172.16.248.66:9200"]
            index => "snmp_walk"
        }
}
2

What is the error?

3

Error is

Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of #, {, } at line 12, column 38 (byte 316) after filter {\r\n ruby {\r\n code => "\r\n

4

You are using double quotes in your gsub, I suggest you use single quotes to surround the code. Does the error change if you do that?

5

Yes you are right the double quotes are a problem. I now get the a different error. But I believe is now is about how I handle the output of the walk. without filter I will normally get below result stored.

      "iso.org.dod.internet.private.enterprises.32278.1.2.3.22.4.0": "OK",
      "iso.org.dod.internet.private.enterprises.32278.1.2.3.4.2.0": 0,
      "iso.org.dod.internet.private.enterprises.32278.1.2.3.4.5.0": 2,
      "iso.org.dod.internet.private.enterprises.32278.1.2.3.3.3.0": 0,
      "iso.org.dod.internet.private.enterprises.32278.1.2.3.26.4.0": "",
      "iso.org.dod.internet.private.enterprises.32278.1.2.3.25.4.0": "",
      "iso.org.dod.internet.private.enterprises.32278.1.2.3.28.5.0": 1,
      "iso.org.dod.internet.private.enterprises.32278.1.2.3.21.4.0": "Off Battery",
      "iso.org.dod.internet.private.enterprises.32278.1.2.3.8.2.0": 0,
      "iso.org.dod.internet.private.enterprises.32278.1.2.3.30.5.0": 2,
      "iso.org.dod.internet.private.enterprises.32278.1.2.3.13.3.0": 0,
      "iso.org.dod.internet.private.enterprises.32278.1.2.3.16.4.0": "Stopped",
      "iso.org.dod.internet.private.enterprises.32278.1.2.3.22.3.0": 0,

What does the "event" refers to generally? I saw that's what been used in most examples

6

You should use gsub, not gsub!. For fields like host using gsub! will result in you trying to event.set(nil, ...), which is not what you want.

What an event contains depends on the input. For a file input it is by default one line of a file. For an snmp input which is walking a MIB it is all of the objects that were returned when the input polled the target.

1 Like
7

Thanks a lot Badger. Couldn't have been explained any better :slight_smile:

8

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.