Hi,
I have a mail log data in [mail][suser] attribute in below, i want to get user account (ABC03245) to new attribute.
jamescc_chen@abc.com.tw;ABC03245|Jamescc Chen(James);abc:
the Grok configure in below
if add this grok condition in my config. Logstash always show error
Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of #, {, } at line 228
I check config many times. it not miss anything. so, i don't know what's problems??
thanks.
JohanRask
May 3, 2018, 11:37am
2
Pinno_Lin:
";%{GREEDYDATA:LoginID}"
I would recommend to use https://grokdebug.herokuapp.com/ to try out your grok expressions.
Hi JohanRask,
Thanks for your reply. Maybe i provide information not enough. sorry.
jamescc_chen@abc.com.tw;ABC03245\|Jamescc Chen(James);abc:
;%{GREEDYDATA:LoginID}\\
I make a simple config below, Logstash always show the error if use the grok. i don't know where has problems??
Thank a lot.
[2018-05-04T09:34:27,665][ERROR][logstash.agent ] Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of #, {, } at line 269, column 6 (byte 6653) after filter {\n\tif "LAB" in [tags] {\n\t\tgrok {\n match => { "[mail][suser]" => ";%{GREEDYDATA:LoginID}\\"}\n }\n }\t\n}\n\noutput {\n\tif "", :backtrace=>["/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:42:in compile_imperative'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:50:incompile_graph'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:12:in block in compile_sources'", "org/jruby/RubyArray.java:2486:inmap'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:11:in compile_sources'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:51:ininitialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:169:in initialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline_action/create.rb:40:inexecute'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:315:in block in converge_state'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:141:inwith_pipelines'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:312:in block in converge_state'", "org/jruby/RubyArray.java:1734:ineach'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:299:in converge_state'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:166:inblock in converge_state_and_update'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:141:in with_pipelines'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:164:inconverge_state_and_update'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:90:in execute'", "/usr/share/logstash/logstash-core/lib/logstash/runner.rb:348:inblock in execute'", "/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/stud-0.0.23/lib/stud/task.rb:24:in `block in initialize'"]}
-----------------------------------------------------
I think that the problem is that
"%GREEDYDATA:LoginID\\"
escapes the double quote, not the backslash. I am unable to find a way to escape the backslash. Not single \, not double \, not triple \.
So we have to get the backslashes away from the quotes. This works in grok
";%{GREEDYDATA:LoginID}\\."
although this would be a lot cheaper
dissect { mapping => "[mail][suser] => "%{};%{LoginID}\%{}" } }
1 Like
Hi Badger,
Thanks for you reply and suggestion. it resolve my problems.
system
June 5, 2018, 12:41am
7
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
:User::FIN::PD;abc:
:User::FIN::PD;abc: