How to handle message with <F1>value</F1><F3>value</F3>

rugenl · April 25, 2019, 6:44pm

We have some logs where fields are separated with html like tags, value or phrase. The problem is that some messages have different fields and/or they may be in different orders.

Our SME's assistance was "Splunk just did it"

Thanks

Badger · April 25, 2019, 7:47pm

You can use an xml filter to parse that. A filter can only consume one XML document at a time, so you would need to wrap it in an outer document. With that message

    mutate { gsub => [ "message", "^", "<f>", "message", "$", "</f>" ] }
    xml { source => "message" target => "theXML" }

would result in

    "theXML" => {
    "F1" => [
        [0] "value"
    ],
    "F3" => [
        [0] "value"
    ]
}

You may also want to use the option force_array => false.

system · May 23, 2019, 7:47pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filter for message field with specific pattern Logstash	3	446	December 4, 2017
XML filter help Logstash	5	1545	July 6, 2017
Logstash Message Parsing Logstash	14	1553	October 3, 2017
How to split and parse message properly with different plugins? Logstash	2	2037	October 20, 2017
Issue parsing XML File with logstash Logstash	1	286	May 18, 2018

How to handle message with <F1>value</F1><F3>value</F3>

Related topics