Hi All,
Need help in ingesting tomcat unstructured logs to ELK. While ingesting via filebeat ->logstash->elasticsearch -> kibana
everything is coming in one message field. I was trying to split it with mutate filter plugin but getting exceptions. pasting my logstash.yml
logstash/log.yml
input {
beats {
port => 5044
}
}
filter {
mutate {
split => { "message" => ":" }
add_field => {
"Client_IP" => "%{[message][0]}"
"Method" => "%{[message][1]}"
"URL" => "%{[message][2]}"
"Bytes" => "%{[message][3]}"
"Duration" => "%{[message][4]}"
}
}
output {
elasticsearch {
hosts => ["http://localhost:9200"]
index => "%{[@metadata][beat]}-%{[@metadata][version]}"
}
}
while restarting logstash getting following exception. Pls help
[2021-08-23T11:51:01,479][ERROR][logstash.agent ] Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of [ \t\r\n], "#", "=>" at line 21, column 17 (byte 409) after filter {\n mutate {\n split => { "message" => ":" }\n add_field => {\n "Client_IP" => "%{[message][0]}"\n "Method" => "%{[message][1]}"\n "URL" => "%{[message][2]}"\n "Bytes" => "%{[message][3]}"\n "Duration" => "%{[message][4]}"\n \t\n }\n}\n\noutput {\n elasticsearch ", :backtrace=>["/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:32:in compile_imperative'", "org/logstash/execution/AbstractPipelineExt.java:187:in initialize'", "org/logstash/execution/JavaBasePipelineExt.java:72:in initialize'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:47:in initialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline_action/create.rb:52:in execute'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:391:in block in converge_state'"]}
[2021-08-23T11:51:01,614][INFO ][logstash.runner ] Logstash shut down.
[2021-08-23T11:51:01,623][FATAL][org.logstash.Logstash ] Logstash stopped processing because of an error: (SystemExit) exit
org.jruby.exceptions.SystemExit: (SystemExit) exit