Access nested fields with wildcards?

CraigFoote · December 14, 2015, 8:03pm

I'm using the XML filter to parse an XML log, targeting "doc":

filter{
    xml{
        source => "message"
        target => "doc"
    }

But I have some numeric fields that come through as Strings. They are not in quotes in the XML so this may be a bug. Anyway, I'm using a mutate filter to convert them to integers:
mutate{
add_field => { "file_size" => "%{[doc][Event][0][Copy][0][Source][0][File][0][Size][0]}" }
}
mutate{
convert => { "file_size" => "integer" }
}

My problem is the XMLs can vary widely; it could be a Move or a Delete or a Rename, etc., and there could be multiple files, i.e. I could be looking at:
[doc][Event][0][Copy][0][Source][0][File][0][Size][1000]

Can I reference the nested fields using wildcards? Something like:
[doc][Event]*[Size]*

Any ideas appreciated.

magnusbaeck · December 14, 2015, 8:23pm

But I have some numeric fields that come through as Strings. They are not in quotes in the XML so this may be a bug.

No, that's the intended behavior. No XML content is parsed as integers or any other data type.

Can I reference the nested fields using wildcards?

Nope. You'd have to implement that yourself using a ruby filter.

CraigFoote · December 14, 2015, 8:23pm

Ok, thanks Magnus.