I would use a multiline codec for that
input { stdin { codec => multiline { pattern => "</Object>" negate => true what => "next" auto_flush_interval => 3 } } }
Then an xml filter
filter { xml { source => "message" store_xml => true target => "theXML" force_array => false } }
At that point you have a couple of choices. You could flatten the attributes using a ruby filter.
ruby {
code => '
event.get("[theXML][Attribute]").each { |v|
event.set("[Attributes]" + v["name"], v["value"])
}
'
}
Or you could iterate over the set and just stash the value you want in a temporary place, then use it to build the id.
ruby {
code => '
event.get("[theXML][Attribute]").each { |v|
if v["name"] == "Last Modified On"
event.set("[@metadata][lastModified]" , v["value"])
end
}
'
}