Oh it works like a charm. By the way, @Badger, I was trying to parse EPO syslog, and I saw Splunk has an excellent add-on to handle the logs. In the transforms.conf file of the Splunk add-on, they got this thing
[mcafee_epo_regex_field_extraction]
REGEX = <([\w-]+)>([^<]+?)<\/\1>
FORMAT = $1::$2
CLEAN_KEYS = false
It's used for extracting every single fields in XML, no matter how complex XML structure is, which is really cool and the thing I need. I wonder if I could do the same thing with Logstash?