elasticsearch - grok过滤器启动logstash时出错

Question

我有以下logstash conf文件

input {
  tcp {
    port => 12345
    codec => json
  }
}

filter {
  grok {
    break_on_match => true
    match => [
        "message", "%{TIMESTAMP_ISO8601:timestamp} (verbose|info|debug) (hostd|vpxa)",
    ]
    mutate {
      add_tag => "esxi_verbose"
    }
  }
}

if "esxi_verbose" in [tags] {
  drop{}
}

output {
      stdout { codec => rubydebug }
      elasticsearch { 
        hosts => ["localhost:9200"] 
        index => "logstash-%{+YYYY.MM.dd}"
      }
}

我正在尝试删除所有详细的调试信息消息。当我启动logstash时，出现错误

[2019-03-03T16:53:11,731][ERROR][logstash.agent] Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of #, \", ', -, [, { at line 13, column 5 (byte 211) after filter {\n  grok {\n    break_on_match => true\n    match => [\n        \"message\", \"%{TIMESTAMP_ISO8601:timestamp} (verbose|info|debug) (hostd|vpxa)\",\n    "

有人可以帮我我在做什么错。

Answer 1

您在配置中有3个问题:

在grok消息行的末尾有一个逗号
多余的

突变位于grok过滤器内，但它应该出现
之后

'if'语句应位于'filter'部分内。

这是已更新且有效的配置:

input {
  tcp {
    port => 12345
    codec => json
  }
}

filter {
  grok {
    break_on_match => true
    match => [
        "message", "%{TIMESTAMP_ISO8601:timestamp} (verbose|info|debug) (hostd|vpxa)"
    ]
  }

  mutate {
    add_tag => "esxi_verbose"
  }

  if "esxi_verbose" in [tags] {
    drop{}
  }

}

output {
      stdout { codec => rubydebug }
      elasticsearch {
        hosts => ["localhost:9200"]
        index => "logstash-%{+YYYY.MM.dd}"
      }
}