Syntactic error on logstash config

Zarkopafilis · June 30, 2017, 4:13pm

[2017-06-30T19:06:06,714][DEBUG][logstash.agent           ] Reading config file {:config_file=>"/etc/logstash/conf.d/logstash.conf"}
[2017-06-30T19:06:06,902][ERROR][logstash.agent           ] Cannot create pipeline {:reason=>"Expected one of #, => at line 24, column 7 (byte 633) after output {\n  stdout { codec => rubydebug }\n\n  elasticsearch {\n    hosts => [\"localhost:9200\"]\n    manage_template => false\n\n    if", :backtrace=>["/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:50:in `initialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:145:in `initialize'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:286:in `create_pipeline'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:95:in `register_pipeline'", "/usr/share/logstash/logstash-core/lib/logstash/runner.rb:274:in `execute'", "/usr/share/logstash/vendor/bundle/jruby/1.9/gems/clamp-0.6.5/lib/clamp/command.rb:67:in `run'", "/usr/share/logstash/logstash-core/lib/logstash/runner.rb:185:in `run'", "/usr/share/logstash/vendor/bundle/jruby/1.9/gems/clamp-0.6.5/lib/clamp/command.rb:132:in `run'", "/usr/share/logstash/lib/bootstrap/environment.rb:71:in `(root)'"]}

Is the error I get when trying to run logstash with my new configuration, which looks like this:
input {
beats{
port => 5044
}
}

filter{
    if[message] =~ "^#" { drop{} }

    if[server] == "alkistis"{
        grok{
match => ["message", "%{TIMESTAMP_ISO8601:log_timestamp} %{WORD:iisSite} %{IPORHOST:site} %{WORD:method} %{URIPATH:page} %{NOTSPACE:querystring} %{NUMBER:port} %{NOTSPACE:username} %{IPORHOST:clienthost} %{NOTSPACE:useragent} %{NOTSPACE:referer} %{NUMBER:response} %{NUMBER:subresponse} %{NUMBER:scstatus} %{NUMBER:bytes:int} %{NUMBER:timetaken:int}"]

        }
    }
}

output {
stdout { codec => rubydebug }

elasticsearch {
    hosts => ["localhost:9200"]
    manage_template => false

    if[server] == "alkistis"{
        index => "alkistis-%{+YYYY.MM.dd}"
        document_type => "iis-log"
    }else{
        index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
        document_type => "%{[@metadata][type]}"
    }
}
}

The only thing I added from the previous version is the filter block and these if-alkistis blocks.

Christian_Dahlqvist · June 30, 2017, 4:46pm

You can not have conditionals within the elasticsearch output config. Instead use conditionals in the filter block to set index prefix and type in the metadata and then refer to this in the elasticsearch output.

Zarkopafilis · June 30, 2017, 6:07pm

Do I need to use mutate in the filter tho?

Christian_Dahlqvist · July 1, 2017, 6:20am

Yes, something like this would allow you to use [@metadata][beat] and [@metadata][type] to specify the index prefix and type for all types of logs, which will simplify your Elasticsearch output config. You can naturally choose other metadata variables to hold this if you prefer that.

if[server] == "alkistis"{
  mutate {
    add_field => {
      "[@metadata][beat]" => "alkistis"
      "[@metadata][type]" => "iis-logs"
    }
  }
}

system · July 29, 2017, 6:20am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash error {:reason=>"Expected one of #, \", ', } Logstash	6	1503	December 14, 2017
Logstash pipeline systax errors after 7.6.0 Logstash	14	1881	March 26, 2020
Logstash start error! Logstash	4	344	March 21, 2019
[ERROR][logstash.agent] "Expected one of [ \\t\\r\\n], \"#\", \"input\", \"filter\", \"output\" at line 1, column 1 (byte 1)" Logstash docker	2	1178	May 5, 2021
ERROR][logstash.agent ] Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of #, { at line 24, column 7 Logstash	7	1228	April 23, 2019

Syntactic error on logstash config

Related topics