How to extract field name which has space in them using xpath

kamalbeg · December 9, 2020, 11:57pm

I have following xml code

xml {
       source => "message"
        store_xml => "false"
      remove_namespaces =>  "true"
      xpath => [
          '/E2ETraceEvent/System/Computer/text()', "[grc][System][Computer]",
          '/E2ETraceEvent/System/Correlation/text()', "[grc][System][Correlation]",
          '/E2ETraceEvent/System/`Source Name`/text()', "[grc][System][Source]"
        ]
   }
  
But it fails when I have space in my xml field name

<E2ETraceEvent xmlns="http://schemas.microsoft.com/2004/06/E2ETraceEvent">
    <System xmlns="http://schemas.microsoft.com/2004/06/windows/eventlog/system">
        <EventID>0</EventID>
        <Type>3</Type>
        <SubType Name="Error">0</SubType>
        <Level>2</Level>
        <TimeCreated SystemTime="2020-10-21T04:47:38.0146329Z" />
        <Source Name="Archer.Web" />
        <Correlation ActivityID="{00000000-0000-0000-0000-000000000000}" />
        <Execution ProcessName="w3wp" ProcessID="6884" ThreadID="226" />
        <Assembly Version>6.7.300.1039</AssemblyVersion>
        <Channel />
        <Computer>ABCXYZ</Computer>
    </System>
</E2ETraceEvent>

How do I extract fields with space in them such as
SubType Name
TimeCreated SystemTime
xpath extracts Compter just fine.

Badger · December 10, 2020, 12:53am

That is not what you have. XML element names cannot contain spaces. You have a Source element that has a Name attribute.

<Assembly Version>6.7.300.1039</AssemblyVersion>

Note that you have an extra space in Assembly Version that causes the xml filter to silently fail. If you fix that then you can use

    xml {
        source => "message"
        store_xml => false
        remove_namespaces => true
        xpath => {
            "/E2ETraceEvent/System/Computer/text()" => "[grc][System][Computer]"
            "/E2ETraceEvent/System/Correlation/text()" => "[grc][System][Correlation]"
            "/E2ETraceEvent/System/Source/@Name" => "[grc][System][Source]"
        }
    }

to get yourself

       "grc" => {
    "System" => {
          "Source" => [
            [0] "Archer.Web"
        ],
        "Computer" => [
            [0] "ABCXYZ"
        ]
    }
},

system · January 7, 2021, 12:53am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.