Dears,
ELK in version 7.16.3
What is the best way to extract part of mapped xml field to new field?
if "app1xml" in [tags] {
xml {
source => "message"
store_xml => false
force_array => false
xpath => [
"/log//msg/field[@id='2']/@value", "app.source_field",
]
}
}
example field looks like:
<field id="2" value="5350621360940215"/>
and I need only four first signs.
5350
Best Regards,
Dan
Hello,
Can you try using substring?
"substring(/log//msg/field[@id='2']/@value, 0, 4)", "app.source_field"
Works well. Thanks a lot.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.