Logstash配置错误-预期字符

vnjpjtjt 于 2022-12-09 发布在 Logstash

关注(0)|答案(1)|浏览(227)

i've this pattern that match correctly on https://grokconstructor.appspot.com :

"%{TIMESTAMP_ISO8601:timestamp}"\|"%{DATA:tz}"\|"%{GREEDYDATA:trans}\: %{GREEDYDATA:transId}"\|"%{GREEDYDATA:req}\: %{GREEDYDATA:reqId}"\|"%{IP:ip}"\|"%{GREEDYDATA:path}\=%{GREEDYDATA:codF}"\|"%{DATA:httpver}"\|"%{DATA:app}"\|"%{WORD:verb}"\|"%{GREEDYDATA:gw}\: %{GREEDYDATA:gw_status}"\|"%{GREEDYDATA:be}\: %{GREEDYDATA:be_status}"\|"%{DATA:unknown}"\|"%{DATA:postman}"\|"%{DATA:link}"\|"%{GREEDYDATA:tok}\: %{GREEDYDATA:token}"

When i configure logstash with this filter:

filter {
  grok {
    match => { "message" => "%{TIMESTAMP_ISO8601:timestamp}"\|"%{DATA:tz}"\|"%{GREEDYDATA:trans}\: %{GREEDYDATA:transId}"\|"%{GREEDYDATA:req}\: %{GREEDYDATA:reqId}"\|"%{IP:ip}"\|"%{GREEDYDATA:path}\=%{GREEDYDATA:codF}"\|"%{DATA:httpver}"\|"%{DATA:app}"\|"%{WORD:verb}"\|"%{GREEDYDATA:gw}\: %{GREEDYDATA:gw_status}"\|"%{GREEDYDATA:be}\: %{GREEDYDATA:be_status}"\|"%{DATA:unknown}"\|"%{DATA:postman}"\|"%{DATA:link}"\|"%{GREEDYDATA:tok}\: %{GREEDYDATA:token}" }
    add_field => [ "grok_state", "match" ]
  }
}

I get this error:
Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of [ \t\r\n], "#", "{", "}" at line 10, column 61 (byte 158) after filter {\n grok {\n match => { "message" => "%{TIMESTAMP_ISO8601:timestamp}"", :backtrace=>["/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:32:in compile_imperative'", "org/logstash/execution/AbstractPipelineExt.java:182:in initialize'", "org/logstash/execution/JavaBasePipelineExt.java:72:in initialize'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:48:in initialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline_action/create.rb:50:in execute'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:386:in block in converge_state'"]}
I tried to escape the " but have same error, any ideas?
Thank you

UPDATE

Example of log:

"2022-11-28 09:14:59:514"|"+0100"|"transId: xxx"|"reqId: xxx"|"1.1.1.1"|"/path/codF=xxxxxxxxxxx"|"HTTP/1.1"|"SAP"|"GET"|"gateway status: 200"|"backend status: 200"|""|"Runtime/7.29.2"|"client"|"token: xxxx-xxxx-xxxx"

logstash

来源：https://stackoverflow.com/questions/74647535/logstash-configurationerror-expect-character

1条答案

按热度按时间

svujldwt1#

我解决了，整个模式块必须用双引号括起来，双引号转义在模式内：

filter {
  grok {
    match => { "message" => "\"%{TIMESTAMP_ISO8601:timestamp}\"\|\"%{DATA:tz}\"\|\"%{GREEDYDATA:trans}\: %{GREEDYDATA:transId}\"\|\"%{GREEDYDATA:req}\: %{GREEDYDATA:reqId}\"\|\"%{IP:ip}\"\|\"%{GREEDYDATA:path}\=%{GREEDYDATA:codF}\"\|\"%{DATA:httpver}\"\|\"%{DATA:app}\"\|\"%{WORD:verb}\"\|\"%{GREEDYDATA:gw}\: %{GREEDYDATA:gw_status}\"\|\"%{GREEDYDATA:be}\: %{GREEDYDATA:be_status}\"\|\"%{DATA:unknown}\"\|\"%{DATA:postman}\"\|\"%{DATA:link}\"\|\"%{GREEDYDATA:tok}\: %{GREEDYDATA:token}\"" }
    add_field => [ "grok_state", "match" ]
  }
}

谢谢大家

赞(0）回复(0）举报 2022-12-09

我来回答

Logstash配置错误-预期字符

1条答案

相关问题

热门标签

最新问答