Hello.
I'm trying to parse a specific log event in xml. I used the xml filter with the target => "parsed_listen".
After running it creates a field "parsed_listen.txt" with the message from the log... Now I want to parse that field with the kv filter. But I don't seem to be able to use the kv filter having the source => "parsed_listen.txt"...
Any thoughts on that?
Thanks!!
Please don't describe your configuration, show it.
This is part of my logstash configuration...
else if "listen_xml" in [tags] {
xml {
source => "message"
target => "parsed_listen"
force_array => false
force_content => true
add_tag => [ "xml_applied" ]
}
if "xml_applied" in [tags] {
grok {
match => { "parsed_listen.txt" => ["%{MONTHDAY}-%{DATA}-%{YEAR} %{TIME} /* %{DATA:[service]} /* %{DATA:[host]} /* %{INT:[return_code]}"] }
add_tag => [ "passed" ]
}
}
The "parsed_listen.txt" is the variable to be parsed, as it contains the log information that I want, after using the xml filter... Is it possible to grok matching the target of the xml filter?
Thanks!!
Where and how is the parsed_listen.txt field created? The xml filter above only creates a parsed_listen field.
I'm not sure, but it was created by the xml filter... After it I could see the field created in Kibana... All I had to do to resolve this issue was:
mutate { rename => {"[parsed_listen][txt]" => "[parsed_txt]"} }
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.