Logstash not parsing my XML

I have been slogging all day to get this to work but no luck yet. There are number of questions with xml and tried every suggestion and it still doesn't.

Here's my basic XML:

   <?xml version="1.0" encoding="UTF-8"?>
    <players>
        <player>
            <name>Zidane</name>
            <club>Real Madrid</club>
            <country>France</country>
        </player>
        <player>
            <name>Luis Figo</name>
            <club>Real Madrid</club>
            <country>Portugal</country>
        </player>
        <player>
            <name>Ronaldo</name>
            <club>Barcelona F.C</club>
            <country>Brazil</country>
        </player>
    </players>

And the .conf file:

input {
    file {
        path => "/Users/chndha/Documents/ELK/data/sample/test.xml"
        type => "xml"
        start_position => beginning
        sincedb_path => "/dev/null"
        ignore_older => 0
        codec => multiline {
            pattern => "^<players>"
            negate => "true"
            what => "previous"
            max_lines => 5000
        }
    }
}
filter {
    xml {
        source => "message"
        target => "parsed"
        store_xml => "false"
        xpath => [
            "/player", "player",
            "/player//name", "player_name"
        ]
    }
    split {
        field => player
    }
    mutate {
        remove_field => [ "message", "parsed" ]
    }
}
output {
    stdout { codec => "rubydebug" }
}

and yes, I have tried without the split and that didn't work either. Nothing is printed to console.

Do not delete fields until you are sure they contain what you expect. You are not getting any messages because your multiline codec is never seeing lines starting with <players>, since that is indented. You can add 'auto_flush_interval => 3' to force the codec to emit an event.

At some point you will find you want to get rid of the newlines embedded by the codec, which can be done using

mutate { gsub => [ "message", "
", "" ] }

At that point xpath => [ "//player" ] (double slash) will work.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.