Handling Large XML Files

Tim_Mobley · October 30, 2021, 6:09pm

I have a large XML file that I'm trying to parse. But when I use max_lines I somehow lose the @timestamp field. Is there a way to use both?

input {
  file {
    path => [ "C:/temp/TEST/*.xml" ]
    start_position => "beginning"    
    codec => multiline {
      pattern => "^ZsExDrC" 
      what => "previous" 
      negate => true 
      auto_flush_interval => 2
      # Problem: When 'max_line' is applied, @timestamp (and other fields) are stripped
      max_lines => 15000
    }
  }
}

Badger · October 31, 2021, 11:54pm

I have never seen that happen before, and I use multiline codecs a lot. Are you sure that is the only change you are making?

system · November 28, 2021, 11:54pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.