Logstash - Parse XML attributes

Elastic Stack Logstash
1

I am trying to parse and send field names to ElasticSearch and am running into issue with getting the correct fields lined up.

Here is some sample XML

<products>
<product name="name_1"></product>
<product name="name_2"></product>
<product name="name_3"></product>
</products>

My logstash config file:

input {
    file {
        path => "sample.xml"
        start_position => "beginning"
        sincedb_path => "/dev/null"
        exclude => "*.gz"
        type => "xml"
        codec => multiline {
            pattern => "<products>"
            negate => "true"
            what => "previous"
        }
    }
}

filter {
    xml {
        source => "message"
        store_xml => false
        target => "products"
        add_field => {
            "p_name" => "%{[products][product][name]}"
        }
        xpath => [
            "/products/*/@name", "product_name"
        ]
    }
}

Currently, in ElasticSearch: there is a single p_name set to %{[merchandiser][product][name]} and product_name is name_1, name_2, name_3

Instead, I would like to have 3 different records, each having their own unique product_name

What is correct xml filter?

2

If you have a field that is an array and you want to split it into one event per entry then use a split filter.

3

Do you have an example (based on the provided xml) that you can share?

4

@magnusbaeck - Are you able to help out here? I see you have answered similar queries and was hoping to grab your attention.

5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.