I have some saved NMAP scans that I am trying to ingest. When using the nmap codec ingesting .nmap files, the below error is generated in the logstash log. Question 1: Can someone explain what the error indicates or where I am going wrong? I have a feeling the nmap codec is meant for streaming data and not saved files.
[filewatch.readmode.handlers.readfile]controlled_read: general error reading file{"path"=>"D:/ElasticStack/Ingest/NMap/ELResultsAzure.xml", "error"=>"#<NoMethodError: undefined method' for nil:NilClass>", "backtrace"=>["D:/ElasticStack/Apps/Logstash/6.4.1/vendor/bundle/jruby/2.3.0/gems/ruby-nmap-0.8.0/lib/nmap/xml.rb:99:in scanner'", "D:/ElasticStack/Apps/Logstash/6.4.1/vendor/bundle/jruby/2.3.0/gems/logstash-codec-nmap-0.0.21/lib/logstash/codecs/nmap.rb:40:indecode'", "D:/ElasticStack/Apps/Logstash/6.4.1/vendor/bundle/jruby/2.3.0/gems/logstash-input-file-4.1.6/lib/logstash/inputs/file/patch.rb:6:in accept'", "D:/ElasticStack/Apps/Logstash/6.4.1/vendor/bundle/jruby/2.3.0/gems/logstash-codec-multiline-3.0.10/lib/logstash/codecs/identity_map_codec.rb:178:inaccept'", "D:/ElasticStack/Apps/Logstash/6.4.1/vendor/bundle/jruby/2.3.0/gems/logstash-input-file-4.1.6/lib/logstash/inputs/file_listener.rb:36:in accept'", "D:/ElasticStack/Apps/Logstash/6.4.1/vendor/bundle/jruby/2.3.0/gems/logstash-input-file-4.1.6/lib/filewatch/read_mode/handlers/read_file.rb:38:inblock in controlled_read'", "org/jruby/RubyArray.java:1734:in each'", "D:/ElasticStack/Apps/Logstash/6.4.1/vendor/bundle/jruby/2.3.0/gems/logstash-input-file-4.1.6/lib/filewatch/read_mode/handlers/read_file.rb:37:inblock in controlled_read'"]}`
Attempting to work around this issue, I am ingesting the files and then using the XML Filter in conjunction with XPaths to get the data parsed. However, I am running into a problem where some fields are populated with an array of values. This leads me to Question 2: When an xpath matches multiple nodes and populates an array of values, is there a way to enumerate over the field and split it into separate values? For example, if xpath node /root/sub contains anywhere from 1-10 child nodes called host, is there something that will split that value out and write to subfields of host?