Get element from xml

Elastic Stack Logstash
1

I have the following logstash conf file:

input {
    jdbc {
        jdbc_connection_string => "jdbc:oracle:thin:@host:1521:sid"
        jdbc_user => "admin"
		jdbc_password => "admin"
        jdbc_validate_connection => true
        jdbc_driver_library => "C:\ELK\INSTALL\logstash-5.4.0\jdbc\ojdbc6.jar"
        jdbc_driver_class => "Java::oracle.jdbc.driver.OracleDriver"
        statement => "SELECT user_id,name,status,startdate,updatedate,xmldata FROM account "
    }	
}


    filter {

   mutate {
        add_field => { 
            "xmldataAtt" 
        }
    }

ruby {
	   code => "
			if event.get('xmldata') != nil then
				xmldataAtt = event.get('xmldata')
			end
			"      
	}

xml {
  source => "xmldataAtt"
    xpath  =>  [
	"/getTest//TestRequest/codifType/text()", "codif",
	"/getTest//TestRequest/currency/text()", "currency",
	"/getTest//TestRequest/date/text()", "dateCall",
	"/getTest//TestRequest/exchange/text()", "info"
	
   ]

}

}

output {
elasticsearch {
    index => "xmltest"
    hosts => "localhost:9200"
}

stdout { codec => json }

Example of xml :

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ns2:getTest xmlns:ns2="http://google.com" xmlns="http://google.com">

	<ns2:in0>
		<TestRequest>
			<codifType>type</codifType>
			<currency>MAD</currency>
			<date>2015-01-16T00:00:00.000+01:00</date>
			<exchange>TOTO123</exchange>
		</TestRequest>
	</ns2:in0>
	</ns2:getTest>

Thank's

2

https://www.elastic.co/guide/en/logstash/current/plugins-filters-xml.html

Why you couldnt use a filter xml??

3

i install the plugin logstash-filter-xml but how I can use it ?

4

Just point the xml filter to the xmldata field. Your attempt to copy xmldata to xmldataAtt won't work and isn't useful anyway.

5

i found the solution using logstash-filter-xml.

filter {

xml {
	# store_xml => "false"
	source => xmldata
	target => "doc"
	add_tag => "xml"
}



 split {
	field => "doc[in0]"
	
  }
  
 split {
	field => "doc[in0][TestRequest]"
 }



 mutate {
	add_field => {

	  codif               => "%{doc[in0][TestRequest][codifType]}"
	  currency            => "%{doc[in0][TestRequest][currency]}"
	  date  		  => "%{doc[in0][TestRequest][date]}"
	  exchange            => "%{doc[in0][TestRequest][exchange]}"
	}
	
	  convert => { 
		"codif" => "string"
		"currency" => "string"
		"date" => "integer"
		"exchange" => "string"
	}
   
   
	remove_field => ['doc']
 }

}

6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.