The xml file which you have posted has an error, didnot close the tag
<tag pluginname="LastUnauthenticatedResults">1539</tag>
The input code is as follows as per your requirement,
input {
file {
path => "D:/xxxxx/ELKStack/sample.xml"
start_position => "beginning"
sincedb_path => "NUL"
codec => multiline {
pattern => ""
negate => "true"
what => "previous"
auto_flush_interval => 1
max_lines => 333333
}
}
}
filter {
xml {
source => "message"
target => "parsed"
store_xml => "false"
xpath => [
"/system/Report/ReportHost/@ip","ip",
"/system/Report/ReportHost/HostProperties/tag/@pluginname","pluginname",
"/system/Report/ReportHost/HostProperties/tag/text()","content",
"/system/Report/ReportHost/ReportItem/@port","portname",
"/system/Report/ReportHost/ReportItem/@severity","severity"
]
}
ruby {
code => "
i = event.get('ip')
n = event.get('pluginname')
p = event.get('portname')
s = event.get('severity')
carr =
s.each_index { |k|
h = { 'portname' => p[k] , 'severity' => s[k] , 'ip' => i[0], 'pluginname' => n[0] }
carr << h
}
event.set('reportitem', carr) "
}
mutate {
remove_field => ["message","@version"]
}
}
output {
stdout {
codec => rubydebug
}
}
the output is as shown in the image below
