How to extract xml data?

laptop_data · April 17, 2017, 9:33am

Hi,

I have XML data shown below, how to extract it. Using XML filter.

<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE> <?xml-stylesheet type="text/xsl"?> <osx start="1492328769" startstr="Linux Apr 16 13:16:09 2017" version="7.40" xmloutputversion="1.04"> <scaninfo type="syn" protocol="tcp" services="9000" services="1-9000"/> <verbose level="0"/> <debugging level="0"/> <taskprogress time="1492329125" percent="99.50" remaining="1" etc="1492329125"/> <host starttime="1492328777" endtime="1492329127"><status state="up" reason="echo-reply" reason_ttl="254"/> <address addr="192.168.1.1" addrtype="ipv4"/> <hostnames> <hostname name="google.com" type="user"/> </hostnames> <osmatch name="Linux" accuracy="94" line="94449"> <osclass type="general purpose" vendor="Linux" osfamily="" osgen="14" accuracy="94"> <cpe> 	cpe:/o:linux:linuxos:14 </cpe> </osclass> </osmatch> <distance value="1"/> <trace port="139" proto="tcp"> <hop ttl="1" ipaddr="192.168.1.1" rtt="83.00"/> </trace> <times srtt="82575" rttvar="5011" to="102619"/> </host> </osx>

magnusbaeck · April 18, 2017, 8:38am

In what way are you finding the xml filter hard to use?

In what way do you want to extract the data? What is the desired result?

laptop_data · April 20, 2017, 9:49am

Hi @magnusbaeck, Thanks for your replay, I want to pass that data to kibana to visualize.
I require column data from the xml. How to extract each single element from XML.

magnusbaeck · April 20, 2017, 10:02am

Okay. And have you tried using the xml filter and specifying the name of the field containing the XML data in the source option?

laptop_data · April 20, 2017, 10:12am

yes, i've written like

filter {
xml {
source => "osx"
}
}

but it is not working

magnusbaeck · April 20, 2017, 10:15am

And what does an example event look like? Use a stdout { codec => rubydebug } output to dump the raw resulting event.

laptop_data · April 20, 2017, 10:18am

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE> <?xml-stylesheet type="text/xsl"?>
<osx start="1492328769" startstr="Linux Apr 16 13:16:09 2017" version="7.40" xmloutputversion="1.04">
<scaninfo type="syn" protocol="tcp" services="9000" services="1-9000"/>
<verbose level="0"/>
<debugging level="0"/>
<taskprogress time="1492329125" percent="99.50" remaining="1" etc="1492329125"/>
<host starttime="1492328777" endtime="1492329127">
<status state="up" reason="echo-reply" reason_ttl="254"/> <address addr="192.168.1.1" addrtype="ipv4"/> <hostnames> <hostname name="google.com" type="user"/> </hostnames> <osmatch name="Linux" accuracy="94" line="94449"> <osclass type="general purpose" vendor="Linux" osfamily="" osgen="14" accuracy="94"> <cpe> cpe:/o:linux:linuxos:14 </cpe> </osclass> </osmatch> <distance value="1"/> <trace port="139" proto="tcp"> <hop ttl="1" ipaddr="192.168.1.1" rtt="83.00"/> </trace> <times srtt="82575" rttvar="5011" to="102619"/> </host> </osx>
[/quote]

This is my data and used the same stdout.

magnusbaeck · April 20, 2017, 11:06am

That's not what I asked for, but I think I know what the problem is anyway. Don't set the source option to "osx". The field where the XML data is stored is most likely named "message".

system · May 18, 2017, 11:06am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.