Logstash extract part of field

d.silwon · May 10, 2022, 7:17am

Dears,

ELK in version 7.16.3

What is the best way to extract part of mapped xml field to new field?

  if "app1xml" in [tags] {
  xml {
    source => "message"
    store_xml => false
    force_array => false
    xpath => [
      "/log//msg/field[@id='2']/@value", "app.source_field",

    ]
  }
  }

example field looks like:

      <field id="2" value="5350621360940215"/>

and I need only four first signs.

Best Regards,
Dan

adrianfusco · May 10, 2022, 7:54am

Hello,

Can you try using substring?

"substring(/log//msg/field[@id='2']/@value, 0, 4)", "app.source_field"

d.silwon · May 10, 2022, 8:14am

@adrianfusco

Works well. Thanks a lot.

system · June 7, 2022, 8:14am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Extract Info from Field using Logstash Logstash	3	420	October 14, 2020
Create an array from a nested XML field Logstash	4	1586	July 6, 2017
Picking substring from field in logstash Logstash	2	2911	September 20, 2017
Substring a field from Logstash Logstash	3	2030	March 4, 2020
Extracting a specific data from a field Logstash	6	302	May 18, 2018

Logstash extract part of field

Related topics