Filtering json with embedded xml

Badger · July 6, 2018, 5:32pm

    # Capture the JSON after payload, then remove it
    grok { match => { "message" => '>",(?<endOfJson>[^>]+)$' } }
    mutate { gsub => [ "message", ">[^>]+$", "" ] }

    # Split the remainder into the initial JSON and the payload
    dissect { mapping => { "message" => '%{startOfJson}"payload":"%{payload}' } }

    # Fix up the XML. I am mystified where that >> comes from, but get rid of it!
    mutate { gsub => [ "payload", "&lt;", "<", "payload", "$", ">" , "payload", ">>", ">" ] }

    # Parse the XML
    xml { source => "payload" store_xml => true target => "theXML" force_array => false }

    # Create some valid json and parse it. Use target in json filter?
    mutate { add_field => { "wholeJson" => "%{startOfJson}%{endOfJson}" } }
    json { source => "wholeJson" }

    #mutate { remove_field => [ "startOfJson", "endOfJson", "wholeJson", "payload" ] }

And if you do not like the format of DynamicHeaders then you can change it using this.

Topic		Replies	Views
XML filter help Logstash	5	1545	July 6, 2017
Parsing Json object array Logstash	7	380	March 9, 2021
Filter JSON content in field and parse target with existing mapping Logstash	6	1969	June 14, 2018
Parsing filter for nested json Logstash	2	318	July 27, 2020
Parsing log in logstash with format xml and json embebed Logstash	2	222	September 14, 2023

Filtering json with embedded xml

Related Topics