Custom log parsing that has xml contents in ELK


(prosenjit biswas) #1

I have a custom log file that has plain text as well as xml tags. How do i capture these in separate fields. Here is how it looks like:
1/10/2017 4:16:35 AM :
Error thrown is:
No Error
*************************************************************************
Request sent is:
<ns0:MsgHeader MessageType="FIXORD" MsgDate="10.01.2017 04:16:32" SystemOfOrigin="ISCS_DE" CommunityID="SG888" xmlns:ns0="http://www.sp.com/Ecommerce/Worldwide/AvailabilityService/Schemas/InventoryMgmtRequest">ns0:OrderIDSCEO4151547</ns0:OrderID>ns0:ReservationID</ns0:ReservationID>ns0:CRD</ns0:CRD></ns0:MsgHeader><ns0:MsgBody xmlns:ns0="http://www.sp.com/Ecommerce/Worldwide/AvailabilityService/Schemas/InventoryMgmtRequest"><ns0:Product Sku="CH562EE" Qty="1" IsExpress="false" IsTangible="true" Region="EMEA" Country="DE">ns0:ProdType</ns0:ProdType>ns0:LineItemNum1</ns0:LineItemNum>ns0:JCID</ns0:JCID></ns0:Product><ns0:Product Sku="CH563EE" Qty="1" IsExpress="false" IsTangible="true" Region="EMEA" Country="DE">ns0:ProdType</ns0:ProdType>ns0:LineItemNum2</ns0:LineItemNum>ns0:JCID</ns0:JCID></ns0:Product></ns0:MsgBody>
*************************************************************************
Response received is:
<ns0:InventoryMgmtResponse xmlns:ns0="http://www.sp.com/Ecommerce/Worldwide/AvailabilityService/Schemas/InventoryMgmtResponse"><ns0:MsgHeader MsgDate="10.01.2017 04:16:32" MessageType="FIXORD">ns0:OrderIDSCEO4151547</ns0:OrderID><ns0:ReservationID />ns0:ReadyToReleasetrue</ns0:ReadyToRelease></ns0:MsgHeader>ns0:MsgBody<ns0:Product SKU="CH562EE" LSPSKU="9432GFT" OutOfStock="false" FulfillmentSite="00ZF" SKUExist="true" Region="EMEA" Country="DE" IsTangible="true">ns0:EDDTBA</ns0:EDD>ns0:FutureUsedfalse</ns0:FutureUsed>ns0:CurrentQty7169</ns0:CurrentQty>ns0:FutureQty-1</ns0:FutureQty></ns0:Product><ns0:Product SKU="CH563EE" LSPSKU="9432GFU" OutOfStock="false" FulfillmentSite="00ZF" SKUExist="true" Region="EMEA" Country="DE" IsTangible="true">ns0:EDDTBA</ns0:EDD>ns0:FutureUsedfalse</ns0:FutureUsed>ns0:CurrentQty2389</ns0:CurrentQty>ns0:FutureQty-1</ns0:FutureQty></ns0:Product></ns0:MsgBody></ns0:InventoryMgmtResponse>
*************************************************************************

Also How can I filter the stars out?


(Magnus B├Ąck) #2

Perhaps a mutate filter's gsub option can help?


(prosenjit biswas) #3

gsub for filtering the stars out ? I am not sure of the syntax. Also how do I capture the xmldata ? Do you think GREEDYDATA in my grok filter is ideal here?


(system) #4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.