Syntax error with filter

Hello,
I'm use logstash for parser some postgress log's. But my filter section says syntax error:

[2019-07-25T00:08:47,536][INFO ][logstash.runner          ] Starting Logstash {"logstash.version"=>"6.8.1"}
[2019-07-25T00:08:52,138][ERROR][logstash.agent           ] Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of #, {, ,, ] at line 12, column 30 (byte 222) after filter {\n  grok {\n        patterns_dir => [\"/etc/logstash/patterns\"]\n        match => [ \"message\" ", :backtrace=>["/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:41:in `compile_imperative'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:49:in `compile_graph'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:11:in `block in compile_sources'", "org/jruby/RubyArray.java:2577:in `map'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:10:in `compile_sources'", "org/logstash/execution/AbstractPipelineExt.java:151:in `initialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:22:in `initialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:90:in `initialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline_action/create.rb:43:in `block in execute'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:96:in `block in exclusive'", "org/jruby/ext/thread/Mutex.java:165:in `synchronize'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:96:in `exclusive'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline_action/create.rb:39:in `execute'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:334:in `block in converge_state'"]}
[2019-07-25T00:08:53,660][INFO ][logstash.agent           ] Successfully started Logstash API endpoint {:port=>9600}
[2019-07-25T00:08:57,889][INFO ][logstash.runner          ] Logstash shut down.

And my setting is:

input {
  file {
    path => "/var/lib/pgsql/9.6/data/pg_log/postgresql.log"
    start_position => "beginning"
  }
}


filter {
  grok {
        patterns_dir => ["/etc/logstash/patterns"]
        match => [ "message" => "%{TIMESTAMP_ISO8601:log_timestamp} %{WORD:Timezone} %{SYSLOGHOST:source} %{GREEDYDATA:message}"  ]
    }
}


output {
  elasticsearch {
    hosts => ["http://192.168.0.20:9200"]
    index => "pgsql-%{+YYYY.MM.dd}"
    }
    stdout {
        codec => "rubydebug"
   }
}

don't see the error -_- . ¿can you help me?

Thanks.

The match statement in your grok filter should have curly braces around the message part. See the documentation for an example.

logstash is fairly flexible about allowing arrays where it expects hashes and vice versa, but if you use an array (i.e. square brackets) then you must use comma, not =>, as a separator. This should be

match => { "message" => "...

uffff,,, thanks. solved

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.