How to parse xml.log via logstash

gavin-orange · September 9, 2020, 3:23am

Hello Guys ,
I am totally new into ES and now I want to use logstash to parse the xml.log , hope could get any help .
Here is part of xml.log which I have :

    <msg time='2019-10-25T01:50:15.913+08:00' org_id='oracle' comp_id='rdbms'
     client_id='' type='UNKNOWN' level='16'
     host_id='cnsh-ipccdb1' host_addr='10.7.1.11' module=''
     pid='20386'>
     <txt>  Current log# 4 seq# 430140 mem# 0: +DG_ORA/ora11g/onlinelog/group_4.283.995416149
     </txt>
    </msg>

How do I edit the filter ?

gavin-orange · September 9, 2020, 4:05am

I want the results as below :

time : 2019-10-25T01:50:15.913+08:00 
log: Current log# 4 seq# 430140 mem# 0: +DG_ORA/ora11g/onlinelog/group_4.283.995416149

stephenb · September 9, 2020, 4:29am

Hi @gavin-orange
Welcome to the community.

Have you look the XML filter.. should get you there / extract the fields

Then you might need to do some renaming , converting etc.

Pay attention to the date / time formats etc

gavin-orange · September 9, 2020, 6:10am

Hi Stephen ,
I used the " multiline " in filebeat to format the xml logs .
Then in logstash :

xml {
          source => "message"
          target => "parsed"
          store_xml => true
          force_array => false
          xpath => {
            "msg time" => "timestamp"
            "txt" => "contents" }

but the outcome is not as wished .

system · October 7, 2020, 6:10am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.