Filtering in Logstash for XML data

Bharath_Pusuluri · September 5, 2018, 3:41pm

Need help in writing the right conf file for the data displayed here. Getting the splittable errors

Input file --- from the url

</clusterMetrics>

Code:

Input used

exec {

type =&gt; "metrics"

command =&gt; "curl -s http://13.11.xxx.234:8088/ws/v1/cluster/metrics"

interval =&gt; "5"

codec =&gt; "json"

}

filter used

if [type] == "metrics"

{

 split {

         field =&gt; "metrics[clusterMetrics]"

         remove_field =&gt; [ "command" ]

 }

}

Output used

elasticsearch {

index =&gt; "yarn-metrics-%{+YYYY.MM.dd}"

document_type =&gt; "doc"

codec =&gt; "json"

servername...

username

password..
}

magnusbaeck · September 5, 2018, 4:59pm

Why run curl instead of using the http_poller input plugin?
If curl indeed returns XML you should remove codec => json.
To parse the XML use an xml filter.
The point of the split filter is unclear. That filter requires an array as input and transforming the XML in your example won't produce any arrays.

Bharath_Pusuluri · September 6, 2018, 12:37am

Hi Magnus,

Based on your suggestions I changed to http polar and also used the xml.

The code with Jason and also Xml, http polar all are working in 5.6 version of elastic but failing with 5.2.1 version.

It is throwing splittable errors

Regards,
Bharath

Bharath_Pusuluri · September 6, 2018, 12:39am

How to check the split filter value , can u suggest? I am writing the logstash conf for the first time

magnusbaeck · September 6, 2018, 6:15am

Instead of describing what you see, show us. What does an example event look like? Use a stdout { codec => rubydebug } output to dump the raw event.

system · October 4, 2018, 6:16am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.