Defining Source When Using Filebeat

Elastic Stack Logstash
1

Hi,
I am using filebeat to read xml files from a directory and then feed it to logstash where it is filetered then sent out to elastic. I thought that perhaps when the pipeline gets created in the logstash config, it does the filebeat input and then passes it to the filter portion but perhaps not cause when I run the job I get:

  filter {
    xml {
      source => # SETTING MISSING
      ...
    }
  }

My current config has:

input {
  beats {
    port => 5044
    codec => multiline {
      auto_flush_interval => 1
      negate => "true"
      pattern => "^<name=*\>"
      what => "previous"
      max_lines => 1000000000
      max_bytes => "500 MiB"}}
  }
filter {
  xml {
      store_xml => true
      store_xml => false
      target => "theXML"
      force_array => false
    }
  mutate { replace => { "c_port" => "%{[theXML][c_port]}" } }
  mutate { convert => { "c_port" => "integer" } }}

So Im curious if its not logically reading from input as SOURCE and I have to place A SOURCE statment in the filter section then what do I declare as the source? Would it be something like:

SOURCE => beats

?

Thank you.

2

You need to tell the xml filter which field of the event the XML is in. You can try

source => "message"

  store_xml => true
  store_xml => false

If you set store_xml to false and are not using xpath then the xml filter will not do anything.

3

Thank you Badger. Really appreciate you being out there for us little folks.

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.