Seems similar to How to split xml arrays?
here is my quick try at it, I have put your XML on one-line for testing with stdin, but should work the same as is, tested with LS 2.4 but should work as long as you have the latest xml filter in your install.
input {
stdin {
}
}
filter {
# brutal extract of the ns1:Value element from the soap message
xml {
source => "message"
target => "xmldata"
store_xml => "false"
remove_namespaces => true
xpath => ["//Value","value"]
remove_field => "message"
}
# Split the array in several events
split {
field => "value"
}
# Parse the remaining XML string to populate the event with fields
xml {
source => "value"
target => "json-value"
force_array => false
remove_field => "value"
}
}
output {
stdout { codec => rubydebug}
}
the output looks like
{
"@version" => "1",
"@timestamp" => "2016-10-14T03:54:17.324Z",
"host" => "debian",
"json-value" => {
"CreatedBy" => "HARRY.BAKER",
"CreationDate" => "2016-10-03T07:10:02.154Z",
"UserId" => "300000130595047",
"Name" => "Dan Billo"
}
}
{
"@version" => "1",
"@timestamp" => "2016-10-14T03:54:17.324Z",
"host" => "debian",
"json-value" => {
"CreatedBy" => "STEVE.BECK",
"CreationDate" => "2014-07-19T17:41:31.422Z",
"UserId" => "300000076703621",
"Name" => "Rama Re Rama"
}
}
HTH