Mysterious grok filter syntax error -


so have following logstash filter config file.

filter {    if [type] == "syslog" , [message] =~ "diskstation" {     grok {       match => { "message" => "<%{posint:syslog_pri}>%{int:version} %{timestamp_iso8601:timestamp} %{hostname:hostname} %{data:syslog_program} - - (?:\[meta sequenceid="%{posint:message_id}"])? %{greedydata:syslog_message}" }     }   } else if [type] == "syslog" {     grok {       match => { "message" => "<%{posint:syslog_pri}>%{syslogtimestamp:syslog_timestamp} %{sysloghost:syslog_hostname} %{data:syslog_program}(?:\[%{posint:syslog_pid}\])?: %{greedydata:syslog_message}" }     }   } }

using grok debugger filters work fine, when starting logstash following error:

jun 03 11:49:38 nuc logstash[27352]: error: expected 1 of #, {, } @ line 16, column 170 (byte 348) after filter { jun 03 11:49:38 nuc logstash[27352]: if [type] == "syslog" , [message] =~ "ds02" { jun 03 11:49:38 nuc logstash[27352]: grok { jun 03 11:49:38 nuc logstash[27352]: match => { "message" => "<%{posint:syslog_pri}>%{int:version} %{timestamp_iso8601:timestamp} %{hostname:hostname} %{data:syslog_program} - - (?:\[meta sequenceid=" jun 03 11:49:38 nuc logstash[27352]: may interested in '--configtest' flag can jun 03 11:49:38 nuc logstash[27352]: use validate logstash's configuration before choose jun 03 11:49:38 nuc logstash[27352]: restart running system.

i cant life of me figure out syntax error is. point me in right direction?

the solution staring me in face entire time of course. problem double quotes in filter. can solved using single quotes.

filter {

if [type] == "syslog" , [message] =~ "diskstation" { grok { match => { "message" => '<%{posint:syslog_pri}>%{int:version} %{timestamp_iso8601:timestamp} %{hostname:hostname} %{data:syslog_program} - - (?:[meta sequenceid="%{posint:message_id}"])? %{greedydata:syslog_message}' } } } else if [type] == "syslog" { grok { match => { "message" => "<%{posint:syslog_pri}>%{syslogtimestamp:syslog_timestamp} %{sysloghost:syslog_hostname} %{data:syslog_program}(?:[%{posint:syslog_pid}])?: %{greedydata:syslog_message}" } } } }


Comments

Post a Comment