Hello guys,
I've been trying to do this for some time now, and finally some advance... but:
I've got some xml files, with one multiline event per file.
this is my conf:
input {
stdin {
codec => multiline {
pattern => "^<"
negate => "true"
what => "previous"
auto_flush_interval => 1
}
type => xml
}
}
filter {
xml {
source => message
xpath => [
"//cdr/state", "state",
"//cdr/direction", "direction",
"//cdr/call-stats/audio/inbound/media_packet_count", "inbound_media_packet_count",
"//cdr/call-stats/audio/inbound/quality_percentage", "inbound_quality_percentage",
"//cdr/call-stats/audio/inbound/mos", "inbound_mos",
"//cdr/call-stats/audio/outbound/media_packet_count", "outbound_media_packet_count",
"//cdr/call-stats/audio/outbound/quality_percentage", "outbound_quality_percentage",
"//cdr/call-stats/audio/outbound/mos", "outbound_mos",
"//cdr/variables/sip_gateway_name", "sip_gateway_name",
"//cdr/variables/direction", "direction",
"//cdr/variables/start_stamp", "start_stamp"
]
store_xml => false
}
urldecode {
all_fields => "true"
}
mutate {
replace => [
"start_stamp", "%{+YYYY.MM.dd} %{time}"
]
}
}
output {
elasticsearch {
hosts => ["cdr-elastic:9200"]
index => "cdr"
}
stdout { codec => rubydebug }
}
Finally this seems to be importing the specified fields into elastic, but it is inserting them as an array instead of a field... the xml part also seems to be wrong..
help is greatly appreciated!
The resulting doc is as follows (resumed):
{
"_index": "cdr",
"_type": "doc",
"_id": "HvNAhmEBVrPbe4FTPzxO",
"_score": 1,
"_source": {
"outbound_media_packet_count": [
"<media_packet_count>12029</media_packet_count>"
],
"@timestamp": "2018-02-11T19:00:35.517Z",
"inbound_media_packet_count": [
"<media_packet_count>10673</media_packet_count>"
],
"inbound_mos": [
"<mos>4.48</mos>"
],
"start_stamp": "2018.02.11 %{time}",