I have the follow xml logs :
<?xml version="1.0" encoding="UTF-8"?> <trail xmlns="http://xmlns.teste.com/testeas/schema/teste_trailtrail-20.7.xsd" xmlns:xsi="http://www.w3.org/2001/XML-teste" xsi:Location="http://xmlns.teste.com/testeas/schema/teste_trailtrail-20.7.xsd"> <Version>20.7</Version> <trailRecord><trail_Type>8</trail_Type><EntryId>1</EntryId><Extended_Timestamp>2009-04-26T15:19:16.486475Z</Extended_Timestamp><SE_User>/</SE_User><OS_User>teste</OS_User><Userhost>alpha.localdomain</Userhost><OS_Process>2708</OS_Process><Terminal>pts/2</Terminal><Instance>0</Instance><Returncode>0</Returncode><OSPrivilege>ADMIN</OSPrivilege><SEID>1410052295</SEID> <Text_Text>CONNECT</Text_Text> </trailRecord> </trail>
And i have the follow filter:
` if [type] == "testebd"{
multiline {
pattern => "^\s|<|^[A-Za-z].>"
what => "previous"
}
mutate {
remove_field => ["entry", "[audit][xmlns]", "[audit][xmlns:xsi]"]
replace => [ "[AuditRecord][Audit_Type]", "%{[AuditRecord][Audit_Type]}" ]
}
xml {
source => "message"
target => "audit"
xpath => [ "/AuditRecord/Audit_Type/text()","Audit_Type" ]
xpath => [ "/AuditRecord/EntryId/text()","EntryId" ]
}
}`
And the follow output in Kibana:
I want to show the "trail_Type" , "EntryId", "Extended_Timestamp", "SE _User", "OS_User" fields ... indexed.
Could you help me to troubleshoot this?