Custom Multiline Parsing

Naveesh_Doolhur · September 3, 2019, 8:54pm

I have a Log file as follows:

===================================== REQUEST 03-09-2019 01:12:25.808599 REF:5001462 =========================================
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Service2>
    <Rqst>
        <MsgHdr>
            <Version>006</Version>
            <TimeGMT>2019090221123353</TimeGMT>
        </MsgHdr>
    </Rqst>
</Service2>

===================================== RESPONSE 03-09-2019 01:12:27.434655 Ref:5001462 =========================================
<Service2><Resp><MsgHdr><Version>006</Version><TimeGMT>20190903011227</TimeGMT></MsgHdr></Resp></Service2>

There is a request and then a response. Any idea how it can be parsed? I would need the whole Request XML and Response XML in a single row as well as the request and response time. Both have the same Ref field.

Thanks

Badger · September 4, 2019, 12:02pm

I would start with

    grok {
        match => { "message" => "=+ %{DATA:header} =+
%{GREEDYDATA:[@metadata][xml]}" }
    }
    xml { source => "[@metadata][xml]" target => "theXML" force_array => false }

system · October 2, 2019, 12:02pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.