swathikothapu
commented
5 years ago Hi,
Use this command,
bin/logstash -f ../config/logstash.conf
logstash.conf
input { tcp { host => "10.0.14.34" port => 5510 codec => json type => "XXX" } } filter { if [type] == "XXX" { date { match => ["ntop_timestamp" , "yyyy-MM-dd'T'HH:mm:ss.SSSZ"] target => "@timestamp" }
Clear redundant field value
mutate {
remove_field => ["ntop_timestamp","GSA"]
}
if "" not in [IPV4_SRC_ADDR] and "" not in [IPV6_SRC_ADDR] {
drop {}
}} }
input { stdin { type => "stdin-type" } }
I download all files. I keep all .conf files in /etc/logstash/conf.d/
all .json files in /etc/logstash/templates/ and all - patterns files in /etc/logstash/patterns/
Then restart logstash service.
tail -f /var/log/logstash/logstash-plain.log Error: [2018-12-23T15:09:58,963][INFO ][logstash.agent ] Successfully started Logstash API endpoint {:port=>9600} [2018-12-23T15:10:30,136][INFO ][logstash.runner ] Starting Logstash {"logstash.version"=>"6.5.3"} [2018-12-23T15:10:33,914][ERROR][logstash.agent ] Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of #, } at line 268, column 202 (byte 9745) after filter {\r\n if [type] == \"syslog\" {\r\n grok {\r\n match => [ \"message\", \"<%{POSINT:syslog_pri}>%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}\" ]", :backtrace=>["/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:41:in
compile_imperative'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:49:incompile_graph'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:11:inblock in compile_sources'", "org/jruby/RubyArray.java:2486:inmap'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:10:incompile_sources'", "org/logstash/execution/AbstractPipelineExt.java:149:ininitialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:22:ininitialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:90:ininitialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline_action/create.rb:42:inblock in execute'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:92:inblock in exclusive'", "org/jruby/ext/thread/Mutex.java:148:insynchronize'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:92:inexclusive'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline_action/create.rb:38:inexecute'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:317:inblock in converge_state'"]}need help Thanks