Extract data with Logstash and Xpath

neo · June 5, 2018, 12:50pm

Hi ,
I want to extract data (timestamp and message) via Xpath plugin in Logstash from XML files to display only them in fields in kibana.

neo:

Hi ,
I want to extract data (timestamp and message) via Xpath plugin in Logstash from XML files to display only them in fields in kibana.

XML sample:

image689×831 22.2 KB

here is my LOGSTASH conf :

input {
beats {
port => 5044
}
}
filter{
xml{
target => "doc"
store_xml => false
source => "message"
xpath =>
["/E2ETraceEvent/System/EventID/@EventID", "event_id",
"/E2ETraceEvent/System/Type/@Type", "type",
"/E2ETraceEvent/System/SubType/@SubType", "name",
"/E2ETraceEvent/System/Level/@Level", "level",
"/E2ETraceEvent/System/TimeCreated/@TimeCreated", "time"]
}
}
output {
stdout { codec => rubydebug }
elasticsearch {
hosts => "100.101.15.181:9200"
manage_template => false
index => "t11-%{+YYYY.MM}"
}
}
in my conf I'm tryig to parse only couple of columns because of the complexity of log, I need to parse all the log data.

I'm on it couple of day and i don't get any errors on logstash log or filebeat but no data inserted into ELASTIC.

can someone help me to understand how to work it out?

Thanks in advance.

here is my LOGSTASH conf :

input {
beats {
port => 5044
}
}
filter{
xml{
target => "doc"
store_xml => false
source => "message"
xpath =>
["/E2ETraceEvent/System/EventID/@EventID", "event_id",
"/E2ETraceEvent/System/Type/@Type", "type",
"/E2ETraceEvent/System/SubType/@SubType", "name",
"/E2ETraceEvent/System/Level/@Level", "level",
"/E2ETraceEvent/System/TimeCreated/@TimeCreated", "time"]
}
}
output {
stdout { codec => rubydebug }
elasticsearch {
hosts => "100.101.15.181:9200"
manage_template => false
index => "t11-%{+YYYY.MM}"
}
}
in my conf I'm tryig to parse only couple of columns because of the complexity of log, I need to parse all the log data.

I'm on it couple of day and i don't get any errors on logstash log or filebeat but no data inserted into ELASTIC.

can someone help me to understand how to work it out?

Thanks in advance.

Badger · June 5, 2018, 1:46pm

That is not XML. Can you post the XML between line contains three backticks, like this: ```

Badger · June 5, 2018, 3:05pm

To pull out the value of individual nodes, use

xpath => { "/E2ETraceEvent/System/EventID/text()" => "event_id" }

If you do that, you may also want to

if [event_id] { mutate { replace => { "event_id" => "%{[event_id][0]}" } } }

However, if you want to parse all of the xml, use

store_xml => true target => "someField"

system · July 3, 2018, 3:05pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Parsing xml using logstaash xpath Logstash	24	5805	March 12, 2018
Logstash - Aggregate xpath data Logstash	9	345	January 18, 2023
Help Logstash XML Parsing to Xpath Logstash	23	1391	September 11, 2020
Parsing jenkins xml using logstash Logstash	5	614	June 27, 2018
Work with xml in logstash Logstash	2	195	March 6, 2023

Extract data with Logstash and Xpath

Related Topics