I am facing some issues while trying to parse XML from some host by using port without XML,

Elastic Stack Beats
1

filbeat yml file created:

  • type: log
    paths:

    • O:\path\sample.xml

    fields:
    Branch: ${BRANCH}
    Major_Minor: ${MAJOR_MINOR}
    Build_Time: ${BUILD_TIME}

    multiline.pattern: '^<?xml.*?>'
    multiline.negate: true
    multiline.match: after

sample.xml :

<?xml version="1.0"?> Tove Jani Reminder Don't forget me this weekend!

logstash conf file

input{
beats {
port => "5071"
}
}

filter {
if [source] =~/sample/
{
mutate {
add_field => {
"name" => "xml_files"
}
}
xml {
source => "message"
target => "[theXML]"
store_xml => true
remove_namespaces => true
force_array => false
remove_field => ["message"]
}
ruby {
path => "rubypath/split_fields.rb"
script_params => { field => "[theXML][disk]" target => "theXML"}

    }

            }

}

output {
stdout{
codec => rubydebug
}
}

ruby code:
def register(params)
@field = params['field']
@target = params['target']
end

def filter(event)
data = event.get(@field)
event.remove(@field)
a =
data.each { |x|
e = event.clone
e.set(@target, x)
a << e
}
a
end

Not able to push them to Elasticsearch & kibana even though we have set correct ports:

[WARN ] 2020-07-03 02:04:22.398 [[main]>worker0] xml - Error parsing xml with XmlSimple {:source=>"message", :value=>"<?xml version=\"1.0\"?>\n\nTove\nJani\nReminder\nDon't forget me this weekend!", :exception=>#<REXML::ParseException: No close tag for /note
Line: 6
Position: 131
Last 80 unconsumed characters:

, :backtrace=>["uri:classloader:/META-INF/jruby.home/lib/ruby/stdlib/rexml/parsers/treeparser.rb:28:in `parse'", "uri:classloader:/META-INF/jruby.home/lib/ruby/stdlib/rexml/document.rb:288:in `build'", "uri:classloader:/META-INF/jruby.home/lib/ruby/stdlib/rexml/document.rb:45:in `initialize'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/xml-simple-1.1.5/lib/xmlsimple.rb:971:in `parse'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/xml-simple-1.1.5/lib/xmlsimple.rb:164:in `xml_in'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/xml-simple-1.1.5/lib/xmlsimple.rb:203:in `xml_in'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-xml-4.0.7/lib/logstash/filters/xml.rb:185:in `filter'", "/usr/share/logstash/logstash-core/lib/logstash/filters/base.rb:143:in `do_filter'", "/usr/share/logstash/logstash-core/lib/logstash/filters/base.rb:162:in `block in multi_filter'", "org/jruby/RubyArray.java:1814:in `each'", "/usr/share/logstash/logstash-core/lib/logstash/filters/base.rb:159:in `multi_filter'", "org/logstash/config/ir/compiler/AbstractFilterDelegatorExt.java:115:in `multi_filter'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:262:in `block in start_workers'"]}
[ERROR] 2020-07-03 02:04:22.447 [[main]>worker0] ruby - Could not process event: undefined method `each' for nil:NilClass {:script_path=>"/etc/logstash/conf.d/split_fields.rb", :class=>"NoMethodError", :backtrace=>["/etc/logstash/conf.d/split_fields.rb:10:in `filter'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-ruby-3.1.5/lib/logstash/filters/ruby/script/context.rb:55:in `execute_filter'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-ruby-3.1.5/lib/logstash/filters/ruby/script.rb:30:in `execute'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-ruby-3.1.5/lib/logstash/filters/ruby.rb:98:in `file_script'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-ruby-3.1.5/lib/logstash/filters/ruby.rb:84:in `filter'", "/usr/share/logstash/logstash-core/lib/logstash/filters/base.rb:143:in `do_filter'", "/usr/share/logstash/logstash-core/lib/logstash/filters/base.rb:162:in `block in multi_filter'", "org/jruby/RubyArray.java:1814:in `each'", "/usr/share/logstash/logstash-core/lib/logstash/filters/base.rb:159:in `multi_filter'", "org/logstash/config/ir/compiler/AbstractFilterDelegatorExt.java:115:in `multi_filter'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:262:in `block in start_workers'"]}
{
"source" => "path\sample.xml",
"beat" => {
"name" => "XXXXXXXX",
"version" => "6.4.1",
"hostname" => "XXXXXXX"
},
"name" => "xml_files",
"offset" => 0,
"prospector" => {
"type" => "log"
},
"@timestamp" => 2020-07-03T06:07:30.579Z,
"@version" => "1",
"message" => "<?xml version=\"1.0\"?>\n\nTove\nJani\nReminder\nDon't forget me this weekend!",
"input" => {
"type" => "log"
},
"tags" => [
[0] "beats_input_codec_plain_applied",
[1] "_xmlparsefailure",
[2] "_rubyexception"
],
"fields" => {
"Branch" => "dev/juniper\0",
"Major_Minor" => "5978\0_0",
"Build_Time" => "2020-06-21 09:23:37"
},
"host" => {
"name" => "XXXXXXXXX"
}
}

Is there any way to send whole XML as one event without XPATHS ?

2

Welcome!

Please format your code, logs or configuration files using </> icon as explained in this guide and not the citation button. It will make your post more readable.

Or use markdown style like:

```
CODE
```

This is the icon to use if you are not using markdown format:

image
image764×92 16.4 KB

There's a live preview panel for exactly this reasons.

Lots of people read these forums, and many of them will simply skip over a post that is difficult to read, because it's just too large an investment of their time to try and follow a wall of badly formatted text.
If your goal is to get an answer to your questions, it's in your interest to make it as easy to read and understand as possible.
Please update your post.

3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.