Unable to start logstash after the setup

Nithani25 · October 31, 2018, 11:55am

HI Team,
I am getting below error while starting the logstash with a sample conf file present in default conf.d folder.

[ERROR] 2018-10-31 04:45:22.819 [Converge PipelineAction::Create<main>] agent - Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of #, input, filter, output at line 28, column 1 (byte 1082) after ", :backtrace=>["/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:41:incompile_imperative'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:49:in compile_graph'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:11:inblock in compile_sources'", "org/jruby/RubyArray.java:2486:in map'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:10:incompile_sources'", "org/logstash/execution/AbstractPipelineExt.java:149:in initialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:22:ininitialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:90:in initialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline_action/create.rb:38:inexecute'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:309:in block in converge_state'"]}

The logstash conf file looks something like below

input {
  file {
     path => "/opt/bea/profile/apilogs/*.log"
     start_position => "beginning"
     ignore_older => 0
}
}
filter {
    grok {
      match => { "message" => "%{CISCOTIMESTAMP:Ignore1}\s%{DATA:Ignore2}\s%{TIMESTAMP_ISO8601:apigeetimestamp}\s%{URIHOST:Ignore3}\s%{DATA:Ignore4}\|%{URIHOST:ClassType}\|%{DATA:ServiceURL}\|%{WOR
D:Verb}\|%{DATA:Loglevel}\|%{DATA:Thread}\|%{DATA:RequestHeaderString}\|%{DATA:EnvironmentName}\|%{DATA:ProjectName}\|%{DATA:ResponseTime}\|%{DATA:StatusCode}\|%{DATA:ApiErrorCode}\|%{DATA:ErrorDes
cription}\|%{DATA:UserId}\|%{DATA:TransactionType}\|%{IP:ClientIP}\|%{DATA:TransactionId}\|%{DATA:Browser}\|%{GREEDYDATA:Logmessage}" }
      overwrite => [ "message" ]
         }
    date {
        match => [ "combinedtimestamp" , "ISO8601" ]
        target => "@timestamp"
           }
    mutate {
        convert => { "ResponseTime" => "integer" }
           }
    mutate {
        convert => { "StatusCode" => "integer" }
          }
    mutate {
        remove_field => [ "Ignore1" , "Ignore2" , "Ignore3" , "Ignore4" ]
           }
}
output {
   elasticsearch {
        hosts => [ "localhost:9200" ]
       }
  stdout { codec => rubydebug }
}

_Alex · October 31, 2018, 3:12pm

You probably have other files in the same conf.d directory which are messing with the pipeline. Double check the file you posted is the only one in there.

system · November 28, 2018, 3:12pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.