Unable to resolve error-Logstash .conf file(CentOS 7 Linux)

sdubbudu · July 10, 2018, 3:37pm

Hi all
I have recently started using the Elastic Stack. I have everything up and running. But when I try to create pipeline I get a very weird error which I dont find any where in my logstash .conf file I am posting below.

LOGSTASH CONF FILE
input{
beats{
port => 5044
host => "localhost"
}
}
filter{
grok {
match => { "message" => " %{NUMBER:pid} %{SYSLOGHOST:user} %{NUMBER:priority} %{NUMBER:nice_value} %{NUMBER:virtual_memory} %{NUMBER:physical_memory} %{NUMBER:shared_memory} %{WORD:status} %{NUMBER:cpu_usage} %{NUMBER:ram_usage} %{TIME:activity_time} %{WORD:command}/n }
}
}
output{
stdout{ codec => rubydebug }
elasticsearch {
hosts => localhost
manage_template => false
index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
}
}

Error From the Logs:
[ERROR][logstash.agent ] Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of #, {, } at line 17, column 15 (byte 487) after filter{\n grok {\n match => { "message" => " %{NUMBER:pid} %{SYSLOGHOST:user} %{NUMBER:priority} %{NUMBER:nice_value} %{NUMBER:virtual_memory} %{NUMBER:physical_memory} %{NUMBER:shared_memory} %{WORD:status} %{NUMBER:cpu_usage} %{NUMBER:ram_usage} %{TIME:activity_time} %{WORD:command}/n }\n }\n}\noutput{\n stdout{ codec => rubydebug }\n elasticsearch { \n hosts => localhost\n manage_template => false\n index => "", :backtrace=>["/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:42:in compile_imperative'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:50:incompile_graph'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:12:in block in compile_sources'", "org/jruby/RubyArray.java:2486:inmap'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:11:in compile_sources'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:49:ininitialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:167:in initialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline_action/create.rb:40:inexecute'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:305:in `block in converge_state'"]}

Badger · July 10, 2018, 3:51pm

You are missing a " on the grok pattern, so it thinks everything down to index => " is part of the pattern.

sdubbudu · July 10, 2018, 4:06pm

Thanks for that!!
Feels stupid now, guess I was looking at the wrong place.
Hope that works.

sdubbudu · July 10, 2018, 8:20pm

Can you please help me parse the event structure(It's just the output of top command)
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
1 root 20 0 127936 3808 2316 S 5.3 0.2 0:05.29 systemd

The first line shows the fields that we name the structure as, second line the samples. I tried to use the one i showed up here or several other mutated versions with no effect.

Thank you

Badger · July 10, 2018, 8:39pm

That time does not match the TIME pattern. You could try (?<activity_time>[0-9:\.]+)

system · August 7, 2018, 8:39pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.