Handling Large XML Files

Tim_Mobley · October 30, 2021, 6:09pm

I have a large XML file that I'm trying to parse. But when I use max_lines I somehow lose the @timestamp field. Is there a way to use both?

input {
  file {
    path => [ "C:/temp/TEST/*.xml" ]
    start_position => "beginning"    
    codec => multiline {
      pattern => "^ZsExDrC" 
      what => "previous" 
      negate => true 
      auto_flush_interval => 2
      # Problem: When 'max_line' is applied, @timestamp (and other fields) are stripped
      max_lines => 15000
    }
  }
}

Badger · October 31, 2021, 11:54pm

I have never seen that happen before, and I use multiline codecs a lot. Are you sure that is the only change you are making?

system · November 28, 2021, 11:54pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to effectively use multiline codec with a crazy long xml file? Logstash	3	479	January 29, 2018
Xml-file too big for logstash? Logstash	28	2773	June 10, 2019
Parsing big xml files in logstash Logstash	1	250	November 30, 2022
Multiline XML processing using logstash Logstash	7	1755	February 2, 2018
Xml parse files help Logstash	7	1842	July 31, 2017

Handling Large XML Files

Related topics