Changing xml console output

kcb · November 25, 2019, 6:18pm

We have a logstash script that successfully parses xml files. Our output displays in format:
geo => {
"service" => "abc"
"version: => "1.1.1"
...
}

Is it possible to get rid of the "geo" in the display, so the display is instead
"service" => "abc"
"version" => "1.1.1"
...

Our logstash configuration file is:

input {
file {
path => "D:/temp/geoserver_audit_*.log"
sincedb_path => "nul"
start_position => "beginning"
type => "xml"
codec => multiline {
pattern => "<Request "
negate => true
what => "previous"
auto_flush_interval => 1
}
}
}

filter {
if [message] =~ /<?xml/ { drop {} }
mutate { gsub => [ "message", "<(/)?Requests>", "" ] }

xml 
{
    source => "message"
    target => "geo"
	store_xml => true
	force_array => false
}

ruby {
	code => '
		x = event.get("geo")
		if x
			x.each { |k, v|
				newk = k.gsub(/(?!^)([A-Z])/, "_\\1")
				newk = newk.downcase
				event.remove("[geo][#{k}]")
				event.set("[geo][#{newk}]", v)
			}
		end
	'
}
mutate {
  remove_field => [tags, host, message, path]
}

}

output {
stdout {
codec => rubydebug
}

Badger · November 25, 2019, 6:26pm

If you change that to

event.set("[#{newk}]", v)

that should do what you want.

system · December 23, 2019, 6:26pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.