Syntax error

Hey there,

I'm working playing with Logstash and wrote alot of grok patterns. But right now, I have a syntax error in this snippet:

if [message] =~ "SMTP error from remote mail server after RCPT TO" {
        grok {
          "match" => { "message" => " (%{EMAILADDRESS:exim_sender})" }
        }
        mutate {
          copy => { "exim_sender" => "exim_sender_tmp" }
          gsub => [ "exim_sender_tmp", "TO:<", "" ]
          copy => { "exim_sender_tmp"} => "exim_sender" }
          update => { "exim_msg_state" => "error" }
        }

and tbo I'm not 100% sure, how these mutate filters work. Mostly I just use update. But I also used a mutate like:

mutate {
   update => { "field" => "foobar" }
   gsub => [ "foobar", "o", ""] #this entry is fbar 
}

A mutate filter does operations in a fixed order, not in the order specified in the configuration. That said, it is unclear why you do not

mutate {
    gsub => [ "exim_sender", "TO:<", "" ]
    update => { "exim_msg_state" => "error" }
}

I have an e-mail in my logline. The logline looks like that:

SMTP error from remote mail server after RCPT TO:<user@domain.com>:
host domain.com [xx.xx.xx.xx]: 550-Please turn on SMTP Authentication in your mail client.
550-(host.domain.com) [yy.yy.yy.yy]: __ is not permitted to relay through this server without authentication.

iam only interested into the e-mail adress. So I take gsub to remove TO:<.
update => { "exim_msg_state" => "error" } this is just only a kind of failre counter, so its not connected with gsub.
For more information see here Issue in Controls - #23 by moep

What I dont understand is, where the syntax error is.

You should remove the first }

Also if you change the grok to

grok { "match" => { "message" => "%{EMAILADDRESS:exim_sender}" } }

then you will get

"exim_sender" => "user@domain.com"

and you will not need most of the mutate.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.