Help with converting String to Integer in xml parsing

Elastic Stack Logstash
1

I am parsing a nested xml using the below conf file and it parses individual tag elements perfectly. But when I try to convert string elements to Integer using XPath, it forms arrays of values.

input{
http_poller{
        urls => {
                urlname => "urlxxxxxx"
        }
        request_timeout => 880
        socket_timeout => 180
        connect_timeout => 100
        schedule => {every => "60s"}
        type => "xml"
        codec => "plain"
    }
}
filter {
      xml {
        source => "message"
        target => "parsed"
        store_xml =>true
      }
        split {
        field => "[parsed][collectionInstance]"
        }
        split {
        field => "[parsed][collectionInstance][actions]"
        }
        split {
        field => "[parsed][collectionInstance][actions][rerun]"
        }
        split {
        field => "[parsed][collectionInstance][aha]"
        }
        split {
        field => "[parsed][collectionInstance][aha][regressionAnalysis]"
        }
        split {
        field => "[parsed][collectionInstance][aha][stabilityAnalysis]"
        }


mutate {
remove_field => ["message","@version"]
}

}

output{
elasticsearch{
        hosts => ["localhost:9200"]
		index => "summary_xml"
}
stdout { codec => rubydebug }
}

My indexed output in Kibana looks like this

image
image1320×691 60.5 KB

When I add the XPath values, and convert block for changing data types, with the below conf:

input{
http_poller{ 
        urls => {
                urlname => "http://thirdeye.us.oracle.com/thirdeye-services/v1.0/views/runs/summary.xml?tql=user.dte.topology.id=%5B%5B%7B%7B98319%7D%7D%5D%5D%20time%20%3E%20$now%20-%201%20*%20$day"
        }
        request_timeout => 880
        socket_timeout => 180
        connect_timeout => 100
        schedule => {every => "60s"}
        type => "xml"
        codec => "plain"
    }
}
filter {
      xml {
        source => "message"
        target => "parsed"
        store_xml =>true
        xpath => [
                "//collectionInstance/actions/failure/text()", "ActionsFailurecount",
                "//collectionInstance/actions/rerun/failure/text()", "rerunfailurecount",
                "//collectionInstance/actions/rerun/success/text()", "rerunsuccesscount",
                "//collectionInstance/actions/rerun/total/text()", "actionreruntotalcount",
                "//collectionInstance/actions/total/text()", "actionstotalcount",
                "//collectionInstance/actions/success/text()", "actionssuccesscount",
                "//collectionInstance/aha/regressionAnalysis/regressionLikely/text()", "regressionLikely",
                "//collectionInstance/aha/stabilityAnalysis/alwaysPass/text()", "alwaysPass",
                "//collectionInstance/aha/stabilityAnalysis/failedWithoutProblem/text()", "failedWithoutProblem",
                "//collectionInstance/aha/stabilityAnalysis/healthy/text()", "stabilityanalysis_healthy",
                "//collectionInstance/aha/stabilityAnalysis/neverPass/text()", "neverPass",
                "//parsed/count/text()", "count",
                "//collectionInstance/actions/timeout/text()", "actionstimeoutcount",
                "//collectionInstance/actions/rerun/timeout/text()", "actionsreruntimeoutcount"
                ]
      }
        split {
        field => "[parsed][collectionInstance]"
        }
        split {
        field => "[parsed][collectionInstance][actions]"
        }
        split {
        field => "[parsed][collectionInstance][actions][rerun]"
        }
        split {
        field => "[parsed][collectionInstance][aha]"
        }
        
        split {
        field => "[parsed][collectionInstance][aha][regressionAnalysis]"
        }
        split {
        field => "[parsed][collectionInstance][aha][stabilityAnalysis]"
        }

mutate {
        convert => {"ActionsFailurecount"  =>      "integer" }
        convert => { "actionsreruntimeoutcount"  => "integer" }
        convert => {"actionstimeoutcount"           => "integer"}
        convert => {"count"          => "integer"}
        convert => {"neverPass"  => "integer"}
        convert => {"stabilityanalysis_healthy"  => "integer"}
        convert => {"failedWithoutProblem"  => "integer"}
        convert => {"alwaysPass"  => "integer"}
        convert => {"regressionLikely"  => "integer"}
        convert => {"actionssuccesscount"  => "integer"}
        convert => {"actionstotalcount"  => "integer"}
        convert => {"actionreruntotalcount"  => "integer"}
        convert => {"rerunsuccesscount"  => "integer"}
        convert => {"rerunfailurecount"  => "integer"}

}
mutate {
remove_field => ["message","@version"]
}

}

output{
elasticsearch{
        hosts => ["localhost:9200"]
        index => "xml_summary"
}
stdout { codec => rubydebug }
}

image
image1258×789 73.3 KB

How can I get data type conversion without having data clubbed in to arrays?

2

Resolved this issue by adding individual mutate convert blocks in conf file.

 mutate{
        convert=>{"[parsed][collectionInstance][actions][failure]"=>"integer"}
        }
        mutate{
        convert=>{"[parsed][collectionInstance][actions][success]"=>"integer"}
        }
        mutate{
        convert=>{"[parsed][collectionInstance][actions][total]"=>"integer"}
        }
        mutate{
        convert=>{"[parsed][collectionInstance][aha][regressionAnalysis][regressionLikely]"=>"integer"}
        }
        mutate{
        convert=>{"[parsed][collectionInstance][aha][stabilityAnalysis][alwaysPass]"=>"integer"}
        }
3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.