How to split xml into different events

griffer98 · October 10, 2019, 1:54pm

I am trying to take certain parts of an xml document and split it into different events that I can look at separately in Kibana. Here is a sample xml document here.

<?xml version="1.0"?>
<Report>
	<company>some company</company>
	<address>some address</address>
	<employees>
		<file>
			<name>Bill Smith</name>
			<position>Crew Member</position>
		</file>
		<file>
			<name>John Doe</name>
			<position>General Manager</position>
		</file>
	</employees>
</Report>

I would like to get 3 different events out of this. One event that has the beginning tags. company and address. and two other ones which each contain the tags within the file tag, so two other events each with name and position. Also if possible, each of the two events would ideally also have the information from the first event.

Badger · October 10, 2019, 3:57pm

The employees elements will become an array, so you can use a split filter to split that to get one event per employee. You can create an additional event for the company using a clone filter.

    xml { source => "message" target => "theXML" force_array => false remove_field => [ "message" ] }
    clone { clones => [ "company" ] }
    if [type] == "company" {
        mutate { remove_field => [ "[theXML][employees]" ] }
    } else {
        split { field => "[theXML][employees][file]" }
    }

griffer98 · October 10, 2019, 7:10pm

This didnt work. When I look in discover in kibana, it is still showing it as 1 event.

system · November 7, 2019, 7:10pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.