How to load emails into ES instance

Badger · August 14, 2024, 4:42pm

The store_xml and xpath options use different XML parsers (one uses NokoGiri, one uses XmlSimple). The xpath option does not like the xmlns attribute on the html element (and I'll never get back the hour and a half it took me to figure that out )

If you use

    mutate { gsub => [ "message", '<html xmlns="[^"]*"', '<html' ] }
    xml {
        source => "message"
        store_xml => false
        remove_field => [ "message" ]
        xpath => {
            '/html/head/meta[@name="resourceName"]/@content' => "bar"
            '/html/head/meta[@name="dcterms:created"]/@content' => "foo"
        }
    }

then you will get

       "foo" => [
    [0] "2024-07-31T13:18:36Z"
],
       "bar" => [
    [0] "S12317 - Ciberseguridad - LeadsSpain (LeadsSpain@yourshortlist.com) - 2024-07-31 1518.eml"
]

Note that xpath always returns arrays, and setting force_array => false does not stop it doing so.

jaime_solas · August 15, 2024, 8:40am

I am happy to report that now everything has turned out 100%, thank you very much for everything.
I put the code in case someone else has the same problem as me.

input {
  file {
    path => "/home/jaime/PRUEBA_CORREOS/*.xml"
    start_position => "beginning"
    sincedb_path => "/dev/null"
    codec => multiline {
	pattern => "^<\?xml"
        negate => "true"
        what => "previous"
	auto_flush_interval => 5
    }
  }
}

filter {
  grok { match => { "message" => "<body>%{GREEDYDATA:theHTML}</body>" } }

  mutate { gsub => [ "message", '<html xmlns="[^"]*"', '<html' ] }
  xml { 
    source => "message" 
    store_xml => false 
    remove_field => [ "message" ] 
    xpath => {
      '/html/head/meta[@name="dcterms:created"]/@content' => "Create_Date"
      '/html/head/meta[@name="Message:From-Email"]/@content' => "Message_from"
      '/html/head/meta[@name="Message-To"]/@content' => "Message_To"
      '/html/head/meta[@name="dc:title"]/@content' => "Titulo_email"
      '/html/head/meta[@name="resourceName"]/@content' => "eml_origen"
    }
  
  
  }
    ruby {
        code => '
            meta = event.remove("[parsed][head][meta]")
            meta.each { |x|
                key = x["name"]
                if key =~ /^Message:Raw-Header:/
                    newKey = key.sub(/^Message:Raw-Header:/, "")
                    newKey = "[headers][#{newKey}]"
                else
                    newKey = key.sub(/^.*:/, "")
                    newKey = "[otherStuff][#{newKey}]"
                end
                event.set(newKey, x["content"])
            }
        '
    }
}

output {
  stdout { codec => rubydebug }
  elasticsearch {
    hosts => ["http://localhost:9200"]
    index => "emails"
  }
}

Topic		Replies	Views
Help with logstash and XML Logstash	5	1158	July 6, 2017
How to load xml file using logstash in es? Logstash	7	7943	July 6, 2017
Load Multiple xml file from logstash into Elasticsearch Logstash	6	1350	July 8, 2019
How to load emails into ES instance Logstash	1	393	September 19, 2018
Import Emails into Elasticsearch using Logstash IMAP Input Logstash	1	221	February 22, 2024

How to load emails into ES instance

Related topics