How to read XML logs

abhisek · October 20, 2017, 7:43am

Hi team,

My log file is "|" separated but two fields contains XML data. please let me know how can i read this.

magnusbaeck · October 23, 2017, 5:18am

Please show an example.

abhisek · October 23, 2017, 7:09am

My Xml file looks like:

1000|121|2017-07-18 15:14:25.893024|0|xxx.xxx.net|read|'<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:web="http://webservices.lookup.sdp.bharti.ibm.com"> <soapenv:Header/> <soapenv:Body> <web:getLookUpServiceDetails> <getLookUpService> <serviceRequester>iOBD</serviceRequester> <lineOfBusiness>mobility</lineOfBusiness> <lookupAttribute> <searchAttrValue>911425152231426</searchAttrValue> </lookupAttribute> </getLookUpService> </web:getLookUpServiceDetails> </soapenv:Body> </soapenv:Envelope>'|'<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Body> <ns:getLookUpServiceDetailsResponse xmlns:ns="http://webservices.lookup.sdp.bharti.ibm.com"> <getLookUpServiceReturn> <errorInfo> <ErrorCode>M136</ErrorCode> <ErrorMessage>While executing transform reformat for port out0: Index out of bounds in assignment for mapEntry.attributeValue. Index is 0 but vector has no elements. Source is the value "attribute_value_vec". </ErrorMessage> </errorInfo> <lookupResponseList/> </getLookUpServiceReturn> </ns:getLookUpServiceDetailsResponse> </soapenv:Body> </soapenv:Envelope> '|1500390865

As you can see my log is "|" separated and it has two xml data below are field in which my log need to be mapped.

txn_cd - 1000
user_id - 121
start_time - 2017-07-18 15:14:25.893024
status - 0
host -xxx.xxx.net
ser_name - read
request - '<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:web="http://webservices.lookup.sdp.bharti.ibm.com">  <soapenv:Header/>  <soapenv:Body>  <web:getLookUpServiceDetails>  <getLookUpService>  <serviceRequester>iOBD</serviceRequester>  <lineOfBusiness>mobility</lineOfBusiness>  <lookupAttribute>  <searchAttrValue>911425152231426</searchAttrValue>  </lookupAttribute>  </getLookUpService>  </web:getLookUpServiceDetails>  </soapenv:Body>  </soapenv:Envelope>'
response - '<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">  <soapenv:Body>  <ns:getLookUpServiceDetailsResponse xmlns:ns="http://webservices.lookup.sdp.bharti.ibm.com">  <getLookUpServiceReturn>  <errorInfo>  <ErrorCode>M136</ErrorCode>  <ErrorMessage>While executing transform reformat for port out0:  Index out of bounds in assignment for mapEntry.attributeValue.  Index is 0 but vector has no elements.  Source is the value "attribute_value_vec".  </ErrorMessage>  </errorInfo>  <lookupResponseList/>  </getLookUpServiceReturn>  </ns:getLookUpServiceDetailsResponse>  </soapenv:Body>  </soapenv:Envelope>  '
txn_id -1500390865

please help me with the configuration file.

magnusbaeck · October 23, 2017, 1:10pm

You should be able to use a csv filter to split up the line into separate fields.

abhisek · October 24, 2017, 9:58am

Used the below config file to split the line

input {
  file {
    path => "abc/abc.dat"
    start_position => "beginning"
    sincedb_path => "/dev/null"
  }
}
filter {
  csv {
      separator => "|"
      columns => ["txn_cd","usr_id","event_ts","status","host","service_name","request","response","txn_id"]
  }
   date{
match => ["event_ts", "yyyy-MM-dd HH:mm:ss.SSSSSS"]
target => "event_ts"
}
 mutate {convert => ["status", "integer"]}
}
output {
    elasticsearch {
        hosts => "http://abc:9200"
        index => "xml"
   }
    stdout {}
}

but the fields are not properly matched

magnusbaeck · October 24, 2017, 1:12pm

but the fields are not properly matched

Please elaborate. What do you get?

abhisek · October 25, 2017, 10:38am

My output looks like this in kibana after loading

 @timestamp	   	October 25th 2017, 16:02:31.500
t @version	   	1
t _id	   	AV9Rk1UH8A4YAHFNXmUV
t _index	   	xml
# _score	   	 - 
t _type	   	logs
t host	   	abc.abc.net
t message	   	||2017-07-18 15:40:16.836493|1|abc,abc.net|read|'<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:web="http://webservices.lookup.sdp.bharti.ibm.com">  <soapenv:Header/>  <soapenv:Body>  <web:getLookUpServiceDetails>  <getLookUpService>  <serviceRequester>iOBD</serviceRequester>  <lineOfBusiness>mobility</lineOfBusiness>  <lookupAttribute>  <searchAttrValue>911425152231426</searchAttrValue>  </lookupAttribute>  </getLookUpService>  </web:getLookUpServiceDetails>  </soapenv:Body>  </soapenv:Envelope>'|'<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">  <soapenv:Body>  <ns:getLookUpServiceDetailsResponse xmlns:ns="http://webservices.lookup.sdp.bharti.ibm.com">  <getLookUpServiceReturn>  <errorInfo>  <ErrorCode/>  <ErrorMessage/>  </errorInfo>  <lookupResponseList>  <mapEntry>  <attributeName>region</attributeName>  <attributeValue>["VIVO", "VIVO", "OPPO", "OPPO", "OPPO", "OPPO"]</attributeValue>  </mapEntry>  <mapEntry>  <attributeName>msisdn</attributeName>  <attributeValue>"Maharashtra"</attributeValue>  </mapEntry>  <mapEntry>  <attributeName>imei</attributeName>  <attributeValue>"917756870222"</attributeValue>  </mapEntry>  <mapEntry>  <attributeName>imsi</attributeName>  <attributeValue>"911425152231426"</attributeValue>  </mapEntry>  <mapEntry>  <attributeName>device_vendor</attributeName>  <attributeValue>"404909092353805"</attributeValue>  </mapEntry>  <mapEntry>  <attributeName>device_type</attributeName>  <attributeValue>"E311"</attributeValue>  </mapEntry>  <mapEntry>  <attributeName>device_version</attributeName>  <attributeValue>"T2222"</attributeValue>  </mapEntry>  <mapEntry>  <attributeName>g3</attributeName>  <attributeValue>"Yes"</attributeValue>  </mapEntry>  <mapEntry>  <attributeName>mms</attributeName>  <attributeValue>"Yes"</attributeValue>  </mapEntry>  <mapEntry>  <attributeName>gprs</attributeName>  <attributeValue>"Yes"</attributeValue>  </mapEntry>  <mapEntry>  <attributeName>streaming</attributeName>  <attributeValue>"Yes"</attributeValue>  </mapEntry>  <mapEntry>  <attributeName>ota</attributeName>  <attributeValue>"Yes"</attributeValue>  </mapEntry>  <mapEntry>  <attributeName>wap</attributeName>  <attributeValue>"Yes"</attributeValue>  </mapEntry>  <mapEntry>  <attributeName>os</attributeName>  <attributeValue>"Google"</attributeValue>  </mapEntry>  <mapEntry>  <attributeName>version</attributeName>  <attributeValue>"4.4.2"</attributeValue>  </mapEntry>  <mapEntry>  <attributeName>camera</attributeName>  <attributeValue>"Yes"</attributeValue>  </mapEntry>  <mapEntry>  <attributeName>apn</attributeName>  <attributeValue>""AIRTELGPRS.COM,AIRTELMMS.COM""</attributeValue>  </mapEntry>  </lookupResponseList>  </getLookUpServiceReturn>  </ns:getLookUpServiceDetailsResponse>  </soapenv:Body>  </soapenv:Envelope>  '|1500392416
t path	   	/abc/abc
t tags	   	_csvparsefailure

Fields are not mapping according to the configuration file

magnusbaeck · October 25, 2017, 10:40am

As the _csvparsefailure tag indicates something goes wrong with the CSV parsing. The Logstash log should contain more information.

abhisek · October 25, 2017, 11:16am

Could you please help me on what extra information that need to be put in ?

magnusbaeck · October 25, 2017, 12:05pm

I meant that you should read the Logstash log file and look for clues about the CSV parse failure.

system · November 22, 2017, 12:07pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Correct configuration file for XML input Logstash	10	2774	September 28, 2017
How to read XML format within a .log file Logstash	4	2455	March 16, 2018
Logstash - Parse txt with xml Logstash	5	249	June 27, 2022
How to extract xml data? Logstash	8	1527	May 18, 2017
XML Confusion Logstash	2	486	April 12, 2017

How to read XML logs

Related topics