ERROR invalid keyword when I tried parse logs with regex.


#1 Juan Andrés.Ramirez

Hello ,

     I'm trying get specific data from some logs of hadoop with REGEX and I recieved this error: ERROR invalid keyword: Output at C:\Program Files (x86)\nxlog\conf\nxlog.conf:45

      Here is my config file:

define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

#
<Extension gelf>
    Module         xm_gelf
</Extension>
<Extension fileop>
    Module         xm_fileop
</Extension>
<Extension json>
    Module      xm_json
</Extension>
<Extension multi>
    Module      xm_multiline
    HeaderLine  /^(\d+-\d+-\d+\s\d+:\d+:\d+,\d+)/
    EndLine        /(.*)/
</Extension>
#
<Input hadoop>
  Module         im_file
  File             "E:\\Hadoop\\test\\*.*"
  SavePos         TRUE
  Recursive     TRUE
  InputType        multi
  
  Exec      if $raw_event =~/^(\d+-\d+-\d+\s\d+:\d+:\d+,\d+)\s(?:INFO|ERROR|WARN)\s(org.apache.hadoop.\w+.\w+):\s(.*)/g\
            {\
                $Time = $1;\
                $CStatus = $2;\
                $Process = $3;\
                $Process_result = $4;\
                to_json();\
            }\
            else\
            {\
                drop();\
            }\
</Input>

<Output graylog>
    Module      om_udp
    Host        10.101.78.224
    Port        12201
    OutputType    GELF
 
    #Use the following line for debugging (uncomment the fileop extension above as well)
    #Exec file_write("C:\\Program Files (x86)\\nxlog\\data\\nxlog_output.log", $raw_event);
</Output>

<Route eventlog>
    Path        hadoop => graylog
</Route>

Anyone know what is bad in this config file?.

THank you.

#2 adm Nxlog ✓ (Last updated )
#1 Juan Andrés.Ramirez
Hello ,      I'm trying get specific data from some logs of hadoop with REGEX and I recieved this error: ERROR invalid keyword: Output at C:\Program Files (x86)\nxlog\conf\nxlog.conf:45       Here is my config file: define ROOT C:\Program Files (x86)\nxlog #  Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log # <Extension gelf>     Module         xm_gelf </Extension> <Extension fileop>     Module         xm_fileop </Extension> <Extension json>     Module      xm_json </Extension> <Extension multi>     Module      xm_multiline     HeaderLine  /^(\d+-\d+-\d+\s\d+:\d+:\d+,\d+)/     EndLine        /(.*)/ </Extension> # <Input hadoop>   Module         im_file   File             "E:\\Hadoop\\test\\*.*"   SavePos         TRUE   Recursive     TRUE   InputType        multi      Exec      if $raw_event =~/^(\d+-\d+-\d+\s\d+:\d+:\d+,\d+)\s(?:INFO|ERROR|WARN)\s(org.apache.hadoop.\w+.\w+):\s(.*)/g\             {\                 $Time = $1;\                 $CStatus = $2;\                 $Process = $3;\                 $Process_result = $4;\                 to_json();\             }\             else\             {\                 drop();\             }\ </Input> <Output graylog>     Module      om_udp     Host        10.101.78.224     Port        12201     OutputType    GELF       #Use the following line for debugging (uncomment the fileop extension above as well)     #Exec file_write("C:\\Program Files (x86)\\nxlog\\data\\nxlog_output.log", $raw_event); </Output> <Route eventlog>     Path        hadoop => graylog </Route> Anyone know what is bad in this config file?. THank you.

I think it's this:


           }\
</Input>

The last backslash is not needed.

The latest version now supports the <Exec> tag so that you don't need to add the backslash to each line, see this example.