Syntax error with filter

mcoa · July 25, 2019, 4:47am

Hello,
I'm use logstash for parser some postgress log's. But my filter section says syntax error:

[2019-07-25T00:08:47,536][INFO ][logstash.runner          ] Starting Logstash {"logstash.version"=>"6.8.1"}
[2019-07-25T00:08:52,138][ERROR][logstash.agent           ] Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of #, {, ,, ] at line 12, column 30 (byte 222) after filter {\n  grok {\n        patterns_dir => [\"/etc/logstash/patterns\"]\n        match => [ \"message\" ", :backtrace=>["/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:41:in `compile_imperative'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:49:in `compile_graph'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:11:in `block in compile_sources'", "org/jruby/RubyArray.java:2577:in `map'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:10:in `compile_sources'", "org/logstash/execution/AbstractPipelineExt.java:151:in `initialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:22:in `initialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:90:in `initialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline_action/create.rb:43:in `block in execute'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:96:in `block in exclusive'", "org/jruby/ext/thread/Mutex.java:165:in `synchronize'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:96:in `exclusive'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline_action/create.rb:39:in `execute'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:334:in `block in converge_state'"]}
[2019-07-25T00:08:53,660][INFO ][logstash.agent           ] Successfully started Logstash API endpoint {:port=>9600}
[2019-07-25T00:08:57,889][INFO ][logstash.runner          ] Logstash shut down.

And my setting is:

input {
  file {
    path => "/var/lib/pgsql/9.6/data/pg_log/postgresql.log"
    start_position => "beginning"
  }
}


filter {
  grok {
        patterns_dir => ["/etc/logstash/patterns"]
        match => [ "message" => "%{TIMESTAMP_ISO8601:log_timestamp} %{WORD:Timezone} %{SYSLOGHOST:source} %{GREEDYDATA:message}"  ]
    }
}


output {
  elasticsearch {
    hosts => ["http://192.168.0.20:9200"]
    index => "pgsql-%{+YYYY.MM.dd}"
    }
    stdout {
        codec => "rubydebug"
   }
}

don't see the error -_- . ¿can you help me?

Thanks.

Christian_Dahlqvist · July 25, 2019, 5:03am

The match statement in your grok filter should have curly braces around the message part. See the documentation for an example.

Badger · July 25, 2019, 1:25pm

logstash is fairly flexible about allowing arrays where it expects hashes and vice versa, but if you use an array (i.e. square brackets) then you must use comma, not =>, as a separator. This should be

match => { "message" => "...

mcoa · July 25, 2019, 1:50pm

uffff,,, thanks. solved

system · August 22, 2019, 1:50pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.